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Abstract 

As historically acknowledged in the Reasoning about Actions and Change community, 
intuitiveness of a logical domain description cannot be fully automated. Moreover, like any 
other logical theory, action theories may also evolve, and thus knowledge engineers need 
revision methods to help in accommodating new incoming information about the behavior 
of actions in an adequate manner. The present work is about changing action domain 
descriptions in multimodal logic. Its contribution is threefold: first we revisit the semantics 
of action theory contraction proposed in previous work, giving more robust operators that 
express minimal change based on a notion of distance between Kripke-models. Second 
we give algorithms for syntactical action theory contraction and establish their correctness 
with respect to our semantics for those action theories that satisfy a principle of modularity 
investigated in previous work. Since modularity can be ensured for every action theory 
and, as we show here, needs to be computed at most once during the evolution of a domain 
description, it does not represent a limitation at all to the method here studied. Finally 
we state AGM-like postulates for action theory contraction and assess the behavior of our 
operators with respect to them. Moreover, we also address the revision counterpart of 
action theory change, showing that it benefits from our semantics for contraction. 

1. Introduction 

Consider an intelligent agent designed to perform rationally in a dynamic world, and suppose 
that she should reason about the dynamics of an automatic coffee machine (Figure I). 




Figure I: The coffee deliverer agent. 

Suppose, for example, that the agent believes that coffee is always a hot beverage. 
Suppose now that some day she gets a coffee at the machine and observes that it is cold. 
In such a case, the agent must change her beliefs about the relationship between the two 
propositions "I hold a coffee" and "I hold a hot drink". This example is an instance of 
the problem of changing prepositional belief bases and has been largely addressed in the 
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literature about belief revision (Alchourron, Gardenfors, & Makinson, 1985; Gardenfors, 
1988; Hansson, 1999) and belief update (Katsuno & Mendelzon, 1992). 

Next, let our agent believe that whenever she buys a coffee from the machine, she gets a 
hot drink. This means that in every state of the world that follows the execution of buying 
a coffee, the agent ends up with a hot drink. Now, in a situation where the machine is 
running out of cups, after buying, the coffee runs through the shelf and the agent, contrary 
to what she was expecting, does not hold a hot drink in her hands. 

Imagine now that the agent never considered any relation between buying a coffee on the 
machine and its service availability, in the sense that she always believed (quite reasonably) 
that buying does not prevent other users from using the machine. Nevertheless, someday 
our agent is queuing to buy a coffee and observes that just after the agent before her has 
bought, the machine went out of order (maybe due to a lack of coffee powder). 

Completing our agent's struggle in discovering the intricacies of operating a coffee ma- 
chine, let us suppose now that she always believed that if she has a token, then it is possible 
to buy coffee, provided that some other preconditions like being close enough to the button, 
having a free hand, etc, are satisfied. Eventually, due to a blackout, the agent realizes that 
she does not manage to buy her coffee, even with a token. 

The last three examples illustrate cases in which changing the beliefs about the behavior 
of the action of buying coffee is mandatory. In the first one, buying coffee, once believed to 
have a deterministic outcome, namely always a hot drink, has now to be seen as nondeter- 
ministic or, alternatively, to have a different effect in a more specific context (e.g. if there 
is no cup in the machine). In the second example, buying a coffee is now known to have 
side-effects (ramifications) which one was not aware of. Finally, in the last example, the 
feasibility of the action under concern is questioned in the light of new information showing 
a context that was not known to preclude its execution. 

Such cases of theory change are very important when one deals with logical descriptions 
of dynamic domains: it may always happen that one discovers that an action actually has 
a behavior that is different from that one has always believed it had. 

Up to now, theory change has been studied mainly for knowledge bases in classical logics, 
both in terms of revision and update. Since the work by Fuhrmann (1989), only in a few re- 
cent studies has it been considered in the realm of modal logics, viz. in epistemic logic (Hans- 
son, 1999) and in dynamic logics (Herzig, Perrussel, & Varzinczak, 2006). Recently some 
studies have investigated revision of beliefs about facts of the world (Shapiro, Pagnucco, 
Lesperance, & Levesque, 2000; Jin & Thielscher, 2005) or the agent's goals (Shapiro, 
Lesperance, & Levesque, 2005). In our scenario, this would concern for instance the truth 
of token in a given state: the agent believes that she has a token, but is actually wrong 
about that. Then she might subsequently be forced to revise her beliefs about the current 
state of affairs or change her goals according to what she can perform in that state. Such 
belief revision operations do not modify the agent's beliefs about the action laws. On the 
other hand, here we are interested exactly in such modifications. Starting with Baral and 
Lobo's work (1997), some recent studies have been done on that issue (Eiter, Erdem, Fink, 
& Senko, 2005) for domain descriptions in action languages (Gelfond & Lifschitz, 1993). 

We here take a step further in this direction and propose a method which is more robust 
by integrating a notion of minimal change and complying with postulates of theory change. 
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The present text is structured as follows: in Section 2 we establish the formal back- 
ground that will be used throughout this article. Sections 3-6 are the core of the work: in 
Section 3 we present the central definitions for a semantics of action theory change, pro- 
viding justifications for the design choices here made (Section 4). Section 5 is devoted to 
the syntactical counterpart of our operators while Section 6 to the proof of its correspon- 
dence with the semantics under certain acceptable conditions. In Section 7 we discuss some 
postulates for contraction/erasure and then present a semantics for action theory revision 
(Section 8). After a discussion on and comparison with existing work in the field (Section 9), 
we conclude with an overview and future directions of research. 

2. Logical Preliminaries 

Following the tradition in the Reasoning about Actions and Change (RAC) community, 
we consider action theories to be finite collections of statements that have the particular 
form (Shanahan, 1997): 

• if context, then effect after every execution of action (effect laws); 

• if precondition, then action executable (executability laws). 

Statements mentioning no action at all represent laws about the underlying structure of the 
world, i.e., its possible states (static laws). 

Several logical frameworks have been proposed to formalize such statements (Shanahan, 
1997). Among the most prominent ones are the first-order based Situation Calculus (Mc- 
Carthy & Hayes, 1969; Reiter, 2001), the family of Action Languages (Gelfond & Lifschitz, 
1993; Giunchiglia, Kartha, & Lifschitz, 1997), the Fluent Calculus (Thielscher, 1997), and 
Propositional Dynamic Logic (PDL) (Harel, Tiuryn, & Kozen, 2000) with different spe- 
cific extensions thereof (De Giacomo & Lenzerini, 1995; Castilho, Gasquet, & Herzig, 1999; 
Zhang k Foo, 2001; Castilho, Herzig, & Varzinczak, 2002). 

Here we opt to formalize action theories using the multimodal logic K n (Popkorn, 1994). 
Among the main reasons for such a choice are: 



• 



• 



We benefit from the well defined semantics for multimodal logics which, as we are 
going to see in the sequel, provides simple and intuitive foundations on which to build 
the meaning of changing action domain descriptions. 

K n syntax allows us to express all the afore mentioned types of laws without requiring 
the full expressiveness of PDL or the machinery of a first-order language. 



• Since K n is the core of all above mentioned PDL-based action formalisms, all we shall 
say in the sequel should smoothly transfer to them. 

• Contrary to first-order based approaches, K n is decidable and has several implemented 
theorem p rovers for it available in the literature. 
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2.1 Action Theories in Multimodal Logic 

Let 2tct = {ai, 0,2, ■ ■ . , On} be the set of all atomic action constants of a given dynamic 
domain. An example of atomic action is buy. To each atomic action a there is associated 
a modal operator [a]. We here suppose that our multimodal logic is independently axioma- 
tized (Kracht & Wo Iter, 1991), i.e., the logic is a fusion and there is no interaction between 
the different modal operators. 1 

*Ptop = {pi,P2, ■ ■ ■ , P n } denotes a finite set of propositional constants, also called fluents 
or elementary atoms. Examples of those are token ("the agent has a token") and coffee 
("the agent holds a coffee"). £it = {p, —>p : p £ *Prop} is the set of literals. We use £ to 
denote a literal. If £ = —>p, then we identify —>£ with p. By \£\ we denote the atom in £. 

We use small Greek letters tp,ip,... to denote Boolean (propositional) formulas. They 
are recursively defined in the usual way: 

if ::= p | T | _L | -xp \tpAtp\<p\/ip\(p—>ip\<p++(p 

(ip ffi ip denotes (ip V ip) A —>(<p A ip).) 5"m[ is the set of all Boolean formulas. An example of a 
Boolean formula is coffee — > hot. A propositional valuation v is a maximal consistent set of 
literals. We denote by v lh ip the fact that v satisfies a propositional formula if. By val(ip) 
we denote the set of all valuations satisfying ip. By CPL we denote Classical Propositional 
Logic and t is its respective consequence relation. Cn(ip) denotes all logical consequences 
of ip in CPL, i.e., Cn(ip) = {ip : if b= PL V , j- 

If if is a propositional formula, atm(ip) denotes the set of elementary atoms actually 
occurring in if. For example, atm(^p 1 A (->Pi V p 2 )) = {Pi,^}- 

For ip a Boolean formula, IP(f) denotes the set of its prime implicants (Quine, 1952), 
i.e., the weakest terms (conjunctions of literals) that imply ip. As an example, IP(p\ © p 2 ) = 
{pi A _, P25 ~^Pi ^ £*2j- For more on prime implicants, their properties and how to compute 
them, see the chapter by Marquis (2000). With it we denote a prime implicant, and given £ 
and 7T, £ £ ir abbreviates '£ is a literal of 7r'. For a given set X , X denotes its complement. 
Hence atm(n) denotes ^3top \ atm(ir). 

We denote complex formulas (possibly with modal operators) by $,&,. . . They are 
recursively defined in the following way: 

(p ::= if | [a]# |-i<P|0A0|0V0|0->#|0<H>^ 

(a) is the dual operator of [a], defined by (a)<P =def _, [a] - '^- An instance of a complex 
formula in our scenario example is ^coffee — > [buy]coffee. 

Given a complex formula <P, with act(^>) we denote the action names occurring in 0, 
i.e., the modalities of <P. For example, act([a2]pi A ([ai]]?2 ~~ ^ I^ft)) = {«i, 0-2}- 

The semantics here is the standard semantics of multimodal logic K n (Popkorn, 1994). 

Definition 2.1 (K„-Model) A K n -model is a tuple J{ = (W, R) where W is a set of valu- 
ations (also called possible worlds), and R maps action constants a to accessibility relations 
R a CWxW. 



1. Later on we will see that this is a requirement to ensure that an action theory is modular. 
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As an example, for 2lct = {ai, 02} and ^3top = {^1,^2}) we have the K ra -model 
(W,R), where 

W= {{Pi,p 2 } ) {Pi ) -'P2} ) {-'Pi,P2}} ! 



R(a\] 



({Pl.P2}.{Pl.-'P2}).({Pl.P2}.{- , Pl.P2}). 



({Pi; -"Pz}. (Pi. "^2}), ({Pi> -P2}) {"'Pi, P2D 
i2(02) = {({Pi,P 2 },-hPi,P2}),({-Pi,P2},-hPi,P2})} 
Figure 2 gives a graphical representation of the model ^#. 



«i 



«'i 



(Pl.fe) - 



"1 




► (Pl»-'P2) 



Figure 2: Example of a K ra -model for 2lct = {ai, 02}, an d *}3top = {p l5 J3 2 }- 

Notice that our definition of K ra -model does not follow the traditional notion from modal 
logics: here no two worlds satisfy the same valuation. This is a pragmatic choice, as we 
will see in Section 5. Nevertheless, all we shall say in the sequel can be straightforwardly 
formulated for standard K n models as well. 

Definition 2.2 (Truth Conditions) Given a K n -model ^ = (W,R), 

|= p (p is true at world w of M ') iff w lh p (valuation w satisfies p, i.e., p £ w); 

\= [a]4> iff \=,$ for every w' such that (w,w') £ R a ; 

\= <£ A W iff \= $ and t <P; 

1= -^ iff^ $, i-e., not t= $; 

truth conditions for the other connectives are as usual. 

By M we will denote a (possibly empty) set of K ra -models. 

A K ra -model j& is a model of <P (denoted |= <&) if and only if for all w £ W, \= <P. In the 

model depicted in Figure 2, we have \= p 1 — > [a2]P2 an d l = Pi Vp 2 - J& is a model of a set 
of formulas X (noted |= X) if and only if |= <P for every <P £ X. If X is the set of formulas 
we start off with (our non- logical theory), then each <P £ X is called a global axiom. 
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Definition 2.3 (Global Consequence) A formula <P is a global consequence of a set 
of global axioms E in the class of all K n -models (noted X |= <P) if and only if for every 

K n -model Jl , if \= S, then |= <£. 

With K n we can state laws describing the behavior of actions. One way of doing this is by 
stating some formulas as global axioms. 2 As usually done in the RAC community (Shana- 
han, 1997), we here distinguish three types of laws. The first kind of statements are static 
laws, which are constraints on the allowed states of a dynamic domain. 

Definition 2.4 (Static Law) A static law is a global axiom ip £ 5"m[. 

An example of a static law is coffee — > hot, saying that if the agent holds a coffee, then she 
holds a hot drink. In the Situation Calculus formalism (Reiter, 2001) one would write the 
first-order formula \/s.[coffee{s) — > hot(s)]. The set of all static laws of a scenario is denoted 
by S C StnL In our example we will have S = {coffee — > hot}. 

The second kind of action law we consider is given by the effect laws. These are formulas 
relating an action to its effects, which can be conditional. 

Definition 2.5 (Effect Law) Let ip,ip £ #m[. An effect law for action a is a global axiom 
of the form cp — > [a]tp. 

The consequent ip is the effect which always obtains in accessible states (which need not 
exist in general) when action a is executed in a state where the antecedent (p holds. In our 
Kripke semantics, this means that in every possible world where ip holds, every transition 
by an a-labeled arrow (if any) leads to a possible world where ip holds. If a is a nondeter- 
ministic action, then the consequent ip is typically a disjunction. An example of an effect 
law is ^coffee — > [buy]coffee, saying that in a situation where the agent has no coffee, after 
buying, the agent has a coffee. If ip is inconsistent, then we have a special kind of effect 
law that we call an in ex ecut ability law. For example, we could also have ^token — > [buy]-L, 
expressing that buy cannot be executed if the agent has no token. In the Situation Cal- 
culus our examples of effect and inexecutability laws would be expressed respectively as 
Vs.[-icoifee(s) — > coffee(do(buy, s))] and Vs.[-^tohen(s) — > ~^Poss(buy, s)]. 

The set of effect laws of a given scenario is denoted by £ . In our coffee machine scenario, 
we could have for example: 

{^coffee^- [buy] coffee, 
tokens [buy]->token, 
-•token — > [buy]-L 

Finally, we also define executability laws, which stipulate the context where an action is 
guaranteed to be executable. In K n , the operator (a) is used to express executability (a)T 
thus reads "the execution of a is possible". Formally, (a)T being true in a world w means 
that there is at least one world w' accessible from w via R a (cf. Definition 2.2). 



2. An alternative to that is given by Castilho et al. (1999, 2002), with laws being stated with the aid of an 
extra universal modality and local consequence being thus considered. 
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Definition 2.6 (Executability Law) Let <p £ 5"mL An executability law for action a is 
a global axiom of the form cp — > (a)T . 

For instance, token — > (buy)T says that buying can be executed whenever the agent has a 
token. The set of all executability laws of a given domain is denoted by X . In our scenario 
example we will have X = {token — > (buy)T}. 

Note that in principle one needs to know nothing about the accessible world w' . However, 
a common (albeit tacit) assumption in the RAC community is that we state executability 
laws only for actions of which we know the effects, in other words act(X) C act{£). 

In the Situation Calculus our example would be stated as Ws.[token(s) — > Poss(buy,s)]. 
However, we point out that, traditionally, in Reiter basic action theories (Reiter, 2001) 
executability laws and inexecutability laws are mixed together in the form of bi-conditionals 
like \/s.[token(s) -B- Poss(buy, s)], called precondition axioms. For a critique of such a 
practice and its implications in formalizing dynamic domains, see the work by Herzig and 
Varzinczak (2007). 

With our three basic types of laws, we are able to define action theories: 

Definition 2.7 (Action Theory) Given any (possibly empty) sets of laws S, £, and X, 
T= S L) £ L) X is an action theory. 

Given an action theory Tand an action a, £ a (resp. X a ) will denote the set of only those 
effect (resp. executability) laws about a in £ (resp. X). T a = S U £ a U X a is then the action 
theory for a. 

It is worth noting that for a\, a^ £ 2tct, a\ ^ a2, the intuition is indeed that T ai and T a2 
overlap only on <S, i.e., the only laws that are common to both T ai and T a2 are the laws 
about the structure of the world. This requirement is somehow related with the underlying 
modal logic being independently axiomatized (see note above). 

2.2 The Frame, Ramification and Qualification Problems 

During the last 40 years, most of the effort in the reasoning about actions community has 
been devoted to searching for satisfactory solutions to the frame problem, the ramification 
problem and the qualification problem. 

Roughly speaking, the frame problem (McCarthy & Hayes, 1969) relates to the need for 
inferring the persistence of some facts of the world after the execution of an action known 
not to affect them, without having to state that explicitly in the form of frame axioms. 
(Frame axioms are a special type of effect law, having the form £ — > [a]£, for £ £ £it.) 
In our example, buying a coffee in a context where the agent has already got one does 
not make it lose the coffee: coffee — > [buy]coffee should be a consequence of our theory. 
The ramification problem (Finger, 1987) comes from the observation that an action may 
have several possibly interdependent effects and stating all of them explicitly is a huge 
task. In our scenario, we want to be able to infer [buy]hot without saying it in the theory, 
and in such a way some intrinsic causal connection between coffee and hot is taken into 
account. Finally, the qualification problem (McCarthy, 1977) amounts to addressing the 
issue of ensuring that an action is executable in a given context. Specifying all the sufficient 
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conditions for an action to be executable is an incredibly hard task. In our example, one 
may state token — > (buy)T, but it may well be the case that buying fails due to some 
condition unforeseen at design time, like the agent's arm being rusty and stuck. 

For more on these core problems of the RAC community, the reader is referred to the 
book by Shanahan (1997). 

For the sake of clarity, here we abstract from the frame and ramification problems, and 
suppose that the agent's theory already entails all the relevant frame axioms. We point out 
however that all we shall say could have been defined within a formalism with a solution to 
the frame and ramification problems. For instance, we could have used any suitable solution 
to the frame problem, like e.g. the dependence relation (Castilho et al., 1999), which is used 
in the work of Herzig et al. (2006), or a kind of successor state axioms in a slightly modified 
setting (Demolombe, Herzig, & Varzinczak, 2003). To make the presentation more clear- 
to the reader, here we do not bother with a particular solution to the frame problem and 
just assume that all frame axioms can be inferred from the action theory. Actually we 
can suppose that all intended frame axioms are automatically recovered and stated in the 
theory, more specifically, in the set of effect laws. 

Given the largely acknowledged difficulty of the qualification problem in the litera- 
ture (Shanahan, 1997), we do not assume here any a priori solution to it. Instead, as tacitly 
assumed in many approaches to reasoning about actions (Castilho et al., 1999; Zhang & 
Foo, 2001; Reiter, 2001), we suppose that the knowledge engineer may want to state some 
(not necessarily fully specified) executability laws for some actions. These may be incorrect 
at the starting point (and in all probability they will be), but revising wrong executability 
laws is an approach towards its solution and one of the aims of this work. With further 
information the knowledge engineer will have the chance to change them so that eventually 
they will correspond to the intuition (cf. Sections 3 and 8). 

Having agreed on these points, the action theory of our example will be: 

{coffee — > hot, token — > (buy)T, 
^coffee ->• [buy]coffee, 
token — > [buy]->token, ->token — > [buy]-L, 
coffee — > [buy]coffee, hot — > [buy]hot 

(We have not stated the frame axiom -^token — > [buy]^token because it can be trivially 
deduced from the inexecutability law -^token — > [buy]-L.) 

Figure 3 below shows a K n -model for the action theory 7~above. 

We are going to see in the sequel that the finite base T formalizing the action theory 
plays a role in the contraction of laws. In particular, the base representing the static laws 
turns out to be quite important. So given an action theory T, it will be useful to consider 
models of T whose possible worlds are all the possible valuations allowed by S: 

Definition 2.8 (Canonical Frame) Let T = S \J £ \J X be an action theory. Then the 
tuple Jtcan = ( W can , Rcan) is the canonical frame of T if and only if: 

• W can = val(S); and 

• Rcan = Uaesict^a s - f - R a = {(w , w') : for all ip -> [a]ijj G £ a , if |= ip, then |=»- 
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Figure 3: A model for our coffee machine scenario: b, £, c, and /i stand for, respectively, 
buy, token, coffee, and hot. 



The canonical frame of an action theory need not be one of its models. To witness why, 
let *Ptop = {p}, 2lct = {a}, and consider the simple action theory {p — > [a]-L,p — > {a)T}. 
Then in the associated canonical frame we have W can = {{p}, {^p}}- Clearly the world {p} 
does not satisfy this theory. 

Definition 2.9 (Canonical Model) j% is a canonical model ofTif and only if ^ is a 
canonical frame of T and |= T- 

Figure 4 below shows the canonical model of our action theory example 1~. 

(-.f, cfft) 



(t, c, ft) 





b (t, -ic, ft) 



(-.<,-.£, -.ft) (f,-.C,~.ft) (~.f,-.C,ft) 

Figure 4: The canonical model for the coffee machine scenario. 



2.3 Prime Valuations 

We say that an atom p is essential to a formula ip if and only if p £ atm(tp') for every y/ 
such that hrpiV ^ < ^'- For instance, p 1 is essential to ->p 1 A (-ip 1 V p 2 )- Given ip, atml(cp) 
denotes the set of essential atoms of <p. (If ip is not contingent, i.e., <p is a tautology or a 
contradiction, then atml(ip) = 0.) 

Given y> a Boolean formula, </?* is the set of all formulas <p' such that ip \= <p' and 
atm((p') C atml(p). For instance, p t Vp 2 ^ Pi*, as ^ b j? 1 Vp 2 but atm(p 1 Vp 2 ) 2 
aira!^). Clearly, atm([\p*) = atm\(/\<p*), moreover whenever |= <p f-> ip' is the case, 
then atml(p) = atm\((p') and also ip* = ip'*. 
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Theorem 2.1 (Least Atom-Set Theorem, Parikh, 1999) Letip be a propositional for- 
mula. Then hrpi^ ^ Av 9 *; and for every ip' such that K= ip f-> ip' , atm(ip*) C atm(ip'). 

A proof of this theorem is given by Makinson (2007) and we do not state it here. 
Essentially, the theorem establishes that for every Boolean formula <p, there is a unique 
least set of elementary atoms such that <p may equivalent ly be expressed using only atoms 
from that set. Hence, Cn(ip) = Cn((p*). 

Given a valuation v, if C v is a subvaluation. Given a set of valuations W, a subvaluation 
if satisfies a propositional formula <p modulo W (noted if IK, ip) if and only if v lh <p for all 
v G W such that if C v. We say that a subvaluation v essentially satisfies ip (modulo W), 

noted v IK. ip, if and only if v IK, ip and {\£\ : £ G i>} C atm\(ip). If i> IK (/?, we call i> an 
essential subvaluation of y> (modulo W). 

Definition 2.10 (Prime Subvaluation) Let ip be a Boolean formula and W a set of val- 
uations. A subvaluation v is a prime subvaluation of ip (modulo W) if and only if u IK ip 

and there is no if C v such that if IK' ip. 

A prime subvaluation of a formula <p is thus one of the weakest states of truth in which ip 
is true. Hence, prime subvaluations are just another way of seeing prime implicants (Quine, 
1952) of ip. By base(ip, W) we will denote the set of all prime subvaluations of <p modulo W. 

Proposition 2.1 Let ip G #ml and W be a set of valuations. Then for all w G W, w lh ip 
if and only if w lh V„ G 6 ase ( v ,M0 Atev £ - 

Proof: Right to left direction is straightforward. For the left to right direction, if w lh <p, 
then w lh ip*. Let w' C w be the least subset of w still satisfying ip*. Clearly, w' is a prime 
subvaluation of <p modulo W, and then because w lh f\^ w < i, the result follows. □ 

2.4 Closeness between Models 

When contracting a formula from a model, we will perform a change in its structure. Because 
there can be several different ways of modifying a model (not all of them minimal), we need 
a notion of distance between models to identify those that are closest to the original one. 

As we are going to see in more depth in the next section, changing a model amounts 
to modifying its possible worlds or its accessibility relation. Hence, the distance between 
two K ra -models will depend upon the distance between their sets of worlds and accessibility 
relations. These here will be based on the symmetric difference between sets, defined as 
X-Y = {X\Y)U(Y\X). 

Definition 2.11 (Closeness between K re -Models) Let J{ = (W, R) be a model. Then 
Jt 1 = (W, R!) is at least as close to Jt as J(" = {W",R"), noted Ji' -<,.g Jt h ' , if and only if 

• either W-W C W- W" ; 

• or W-W = W-W' and R-R' C R-R". 
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This is an extension of Burger and Heidema's relation (Burger & Heidema, 2002) to our 
modal case. It defines a lexicographic order on the set of all K ra -models. Although simple, 
this notion of closeness turns out to be sufficient for our purposes here, as we shall see in the 
sequel. Notice that other notions of distance between models could have been considered as 
well, namely the cardinality of symmetric differences or Hamming distance. (See Section 4 
for a discussion on this.) 

3. Semantics of Action Theory Change 

When admitting the possibility of a law ^ failing, one must ensure that <P becomes invalid, 
i.e., not true in at least one model of the dynamic domain that is formalized. Because there 
can be lots of such models, we may have a set M. of models in which <P is (potentially) valid. 
Thus contracting $ amounts to making it no longer valid in this set of models. What are 
the operations that must be carried out to achieve that? Throwing models out of M. does 
not work, since <P will keep on being valid in all models of the remaining set. Thus one 
should add new models to M. Which models? Well, models in which <P is not true. But 
not any of such models: taking models falsifying that are too different from our original 
models will certainly violate the principle of minimal change. 

Hence, we shall take some model ^# 6 M. as basis and manipulate it to get a new model 
jtfC in which ^ is not true. In our modal semantics, the removal of a law ^ from a model 
^ = (W,R) means modifying the possible worlds or the accessibility relation in j$. so that 
<!> becomes false. Such an operation gives as result a set j^$ of models each of which is no 
longer a model of &. But if there are several candidates, which ones should we choose? We 
shall take those models that are minimal modifications of the original ^, i.e., those which 
are minimal with respect to our distance -<.g between models. Of course, there can be more 
than one such an ^' that is minimal with respect to rl#- In that case, because adding 
just one of these new models is enough to invalidate ^, we take all possible combinations 
M U {^#'} of expanding our original set of models M by one of these minimal models. 
(Observe that this approach relates to orderly maxichoice contraction Hansson, 1999.) The 
result will be a set of sets of models. In each set of models there will be precisely one model 
<M' falsifying 0. 

It might be claimed that, as such, our contraction method described above does not 
respect the so-called principle of categorical matching: the input and output are different 
sorts of objects, namely a set of models and a set of sets of models. It is easy to see, 
however, that the reasoning above can be stated in such a way that each output set of 
models corresponds precisely to the result of one contraction operator, satisfying then the 
referred principle. The choice for defining the result of an operation as a set of possible 
outputs will become more clear in Section 5, where we are going to present algorithms that 
correspond exactly to our semantic constructions. 

3.1 Model Contraction of Executability Laws 

To contract an executability law ip — > (a)T from one model, intuitively we should remove 
transitions leaving y)-worlds. In order to succeed in the operation, we have to guarantee 
that in the resulting model there will be at least one </>world with no departing o-arrow. 



199 



Varzinczak 

Definition 3.1 Let JZ = (W, R). JZ' = ( W, Rl) <E ~^~_, {a)T if and only if 

• W = W; 

• R! C R; 

• if (w, w') E R\ R 1 , then \= ip; and 

• there is w e W 1 such that U= in — > (a)T. 

"w * ' 

Observe that ^#~ , ,_ ^ if and only if in is satisflable in W. Moreover, ^ e ^~ , .-,- 
if and only if p <£> — > (a)T. 

Just to provide the reader with an insight on how this operation would be carried out 
in the Situation Calculus, there one should look at a given situation s in which <p holds 
and then modify the interpretation of the predicate Poss(a) so that it becomes false in s. 
Like in our case, there may be many of such situations and then all of them must be taken 
into account. An essential difference here is that our Kripke structures are always finite, 
whereas the space of situations is possibly infinite (Reiter, 2001). 

To get minimal change, we want such an operation of removing transitions to be minimal 
with respect to the original model: one should remove a minimum set of transitions which 
is sufficient to get the desired result. 

Definition 3.2 contract{^ , ip — > (a)T) = U mm {^~_4/ a \y — ■# } 

And now we define the sets of possible models resulting from the contraction of an 
executability law in a set of models: 

Definition 3.3 Let M. be a set of models, and <p — > (o)T an executability law. Then 
M~_^ {a)T = {M' : M' = MU{^'},JZ' e contract^, ip ->• {a)T),JK e M} 

In our running example, consider Ai = {^}, where ^# is the model in Figure 4. When 
the agent discovers that even with a token she does not manage to buy a coffee any more, 
she has to change her models in order to admit (new) models with states where token is 
the case but from which there is no 6uy-transition at all. Because having just one such 
a world in each new model is enough, taking those resulting models whose accessibility 
relations are maximal guarantees minimal change. Hence we will have M~^ oken _^i hu \y = 
{M U {JK[}, M U {JZ2}, M U {-#3}}, where each Jt[ is depicted in Figure 5. 

Clearly, if ip is not satisfied in .M, i.e., |= -up for all j% £ M, then the contraction 
of (p — > (a)T does not succeed. This is in line with the expectations and it relates to the 
Success Postulate (cf. Section 7.2). 
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Figure 5: Models resulting from contracting token — > (buy)T in the model ^# of Figure 4. 



3.2 Model Contraction of Effect Laws 

When our agent discovers that there may be some cases where after buying she gets no 
hot drink, she must e.g. give up the belief in the effect law token — > [buy]hot in her set of 
models. This means that token A (buy)^hot shall now be admitted in at least one world of 
some of the new models of her set of beliefs. Therefore, to contract an effect law <p — > [a]ip 
from a given model, intuitively we have to add new transitions from ^-worlds to worlds not 
satisfying ip. As we shall see, the great challenge in such an operation is precisely how to 
guarantee minimal change. 

In our example, when contracting token — > [buy]hot from the model of Figure 4 we shall 
add transitions from tofcen-worlds to -i/ioi-worlds. Because coffee — > hot is a static law and 
so is -ihot — > -^coffee, this should also give us (buy) ^coffee in some token- world (^coffee is 
causally relevant to —>hot, i.e., to have -i/toi we must also have ^coffee). This means that if 
we allow for (buy)^hot in some iofcen-world, we also have to allow for (buy)^coffee in that 
same world. The same argument does not necessarily hold for token: allowing for (buy)^hot 
does not necessarily oblige us to allow for (buy) token in the respective world. This is because 
token is not relevant to -^hot (as -^coffee is). This means that we have the freedom either 
to allow for it or not. 

Hence, in our running example we can add transitions from tofcen-worlds to -^hot A 
-^coffee A iofcen-worlds, as well as to -ifiot A -^coffee A -^token. This situation is depicted in 
Figure 6. For instance, we can add a new buy-a,rrow from the world {token, —> coffee, —>hoi\ 
to one of these candidates (Figure 7). 

In the Situation Calculus, such a modification would be slightly different, but with the 
same intuition behind: one should look at a given situation s in which <p holds and then 
modify the interpretation of the fluents (atoms) in do(a,s), the situation resulting from 
performing a in s. Alternatively, new ^-situations should lead to at least one -^-situation. 
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Figure 6: Candidate worlds to receive transitions coming from tofcen-worlds. 



(-.f, c, ft) 



(f, e, ft) 




(i, -.c, ft) 



(-.f,-.c,-.fe)< -(f,-.c,-.A) (-.f,-.c,fe) 



Figure 7: Two candidate new 6wi/-arrows to falsify tofcen — > [buy]hot in „#. 



Notice however that this would require the addition of new whole branches to the tree-like 
first-order model induced by Reiter basic action theories (Reiter, 2001). 

Back to our example, observe that adding the new transition to {token, —> coffee, —>hot} 
itself would make us lose the effect -^token, true after every execution of buy in the original 
model (|= token — > [buy]^token) . How do we preserve this law while allowing for the new 
transition to a -iftot- world? That is, how do we get rid of the effect hot without losing effects 
that are not relevant for that? We here develop an approach for this issue. 

When adding a new transition leaving a world w we intuitively want to preserve as many 
effects as we had before doing so. To achieve this, it is enough to preserve old effects only 
in w (because the remaining structure of the model remains unchanged after adding the 
new transition). Of course, we cannot preserve effects that are inconsistent with —iip (those 
will all be lost). Hence it suffices to preserve only the effects that are consistent with —iijj. 
To achieve that we must observe what is true in w and in the target world w'\ 

• The proper effects of the action in world w' , i.e., what changes from w to w' (w' \ w) 
through the new execution of a must be what is obliged to be so: either because those 
literals that now change from w to w' are necessary to having —iip in w' (like ^coffee 
in our example) or because they are necessary to have another effect (independent of 
—>ip, like -itofcen) in world w'. 
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• The non-effects of action a in world w' , i.e., what does not change from w to w' 
(w Pi w') through a's new execution should be only what is allowed to be so: certain 
literals are never preserved (like token in our example), then when pointing the new 
transition towards a world where it does not change with respect to the leaving world 
(—>hot A ^coffee A token in our example), we may lose effects that held in w before 
adding the transition. 

This means that the only things allowed to change in the candidate target world must 
be those that are forced to change, either by some non-related law or because of having 
—>i/j modulo a set of states W. In other words, we want the literals that (now) change from 
w to w' to be at most those that are sufficient to get —iip modulo W, while preserving the 
maximum of other effects. Every change beyond that is not an intended one. Similarly, 
we want the literals from w that are (now) preserved in the target world w' to be at most 
those that are usually preserved in a given set of models. Every preservation beyond those 
may make us lose some law. This looks like prime implicants, and that is where prime 
subvaluations play their role: the worlds to which the new transition will point are those 
whose difference with respect to the departing world are literals that are relevant and whose 
similarity with respect to it are literals that we know do not change. 

Definition 3.4 (Relevant Target Worlds) Let Jt = (W,R) be a model, w,w' £ W, M 
a set of models such that M £ M., and ip — > [a]ip an effect law. Then w' is a relevant target 
world of w with respect to p — > [a]ip for M in M. if and only if 



• 



• 



1= ip and W.ib: 

w " w' 

for all £ £ w' \w: 

— either there is v £ base(^ip, W) such that v C w' and £ £ v; 

— or there is ip' £ Stnl such that there is v 1 £ base(ip' , W) such that v 1 C w' , £ £ if, 
and for every <dt{ £ M., |= *[a\ip' 

• for all £ £ w fl w' : 

— either there is v £ base(^ip, W) such that v C w' and £ £ v; 

— or there is Mi £ M such that U= % \a\^£; 

"w L ' 

By RelTarget(w,ip — > [a]ip,^,M) we denote the set of all relevant target worlds of w with 
respect to p — > [a]ip for J{ in M.. 

Note that we need the set of models M. (and here we can suppose it contains all models 
of the theory we want to change) because preserving effects depends on what other effects 
hold in the other models that interest us. We need to take them into account in the 
local operation of changing one model. (The reason we do not need M in the definition 
of the local, one model contraction of executability laws ^~ , ,-r- is that when removing 
transitions there is no way of losing effects, as every effect law that held in the world from 
which a transition has been removed remains true in the same world in the resulting model.) 
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Definition 3.5 Let J? = (W,R), and M be such that Jt e M. Then J? = {W,R!) e 

^^[a]^ tf and onl y tf 

• W = W; 

• R C #'; 

• // («;, w/) E R' \ R, then w' £ RelTarget(w, ip — > [a]ip,^, M); and 

• t/iere is «; e W 7 ' swc/i that p 97 — >• [a]i/>. 

Observe that ^~r , , 7^ if and only if </? and -ii/> are both satisfiable in W^. Moreover, 

_ # 

•^ G ^->[<# if aIld OIlly lf ^ ^ "^ [°]^- 

Because having just one world where the law is no longer true in each model is enough, 
taking those resulting models whose accessibility relations are minimal with respect to the 
original one guarantees minimal change. 

Definition 3.6 contract{^ , p — > [a]ip) = [j min{ 1 #~_ + , ,,, :!#} 

Now we can define the possible sets of models resulting from contracting an effect law 
from a set of models: 

Definition 3.7 Let M. be a set of models, and p — > [a]ip an effect law. Then 

M ^[aU = i M ' '■ M ' = M u {^'},^' e contract^, p -> [a]ip), Jl e M} 

Taking again Ai = {^}, where jtft is the model in Figure 4, after contracting token — > 
[buy]hot from M we get M; oken _^ [buy]hot = {M U {^{},MU {^},MU {^ 3 '}}, where all 
*/#/s are as depicted in Figure 8. 

In both cases where <p is not satisfiable in ^ or ip is valid in ^ , of course our operator 
does not succeed in falsifying p — > [a]ip (cf. end of Section 3.1). Again, this works as 
expected and it has to do with the Success Postulate (see also Section 7.2). 

3.3 Model Contraction of Static Laws 

When contracting a static law from a model, we want to admit the existence of at least 
one (new) possible state falsifying it. This means that intuitively we should add new worlds 
to the original model. (In a Situation Calculus setting that would correspond to allowing 
for situations not satisfying some of the domain constraints.) This is quite easy. A very 
delicate issue however is what to do with the accessibility relation: should new transitions 
leave/arrive at the new world? If no transition leaves the new added world, we may lose 
some executability law. If some transition leaves it, then we may lose some effect law, the 
same holding if we add a transition pointing to the new world. On the other hand, if no 
transition arrives at the new world, what about the intuition? Is it intuitive to have an 
unreachable state? (Similar issues would also arise in Situation Calculus interpretations, 
which means that they are independent of the underlying formalism.) 
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Figure 8: Models resulting from contracting token —> [buy]hot in the model 



of Figure 4. 



All this discussion shows how drastic a change in the static laws might be: it is a change 
in the underlying structure (possible states) of the world! Changing them may have as an 
indirect, unexpected (and in all probability unwanted) consequence the loss of some effect 
law(s) or some executability law(s). What we can do is choose which type(s) of laws we 
may accept to lose in this process and then postpone their change (by the other operators). 

Following the tradition in the RAC community, which states that executability laws are 
in general more difficult to formalize than effect laws, and therefore they are more likely 
to be incorrect (Shanahan, 1997), here we prefer not to change the accessibility relation, 
which means that we preserve effect laws and postpone the correction of executability laws, 
if required. (Remember that this is an approach towards a solution to the qualification 
problem — cf. Section 2.2 above.) 

One may argue that doing things this way makes our three operators incoherent in the 
sense that for effect and executability laws we adopt a minimal change approach, giving 
stronger theories, whereas for static laws we adopt a more cautious approach, giving weaker 
theories (see the next section). It is worth noting however that as largely recognized by the 
RAC community, the different laws of a domain description do not have the same status: 
a minimal change approach for static law contraction that preserves as many executability 
laws as possible, even if coherent, would definitely fail to cope with the qualification problem. 
Moreover, by propagating wrong executability laws, such a coherent method would definitely 
be less elaboration tolerant (McCarthy, 1998) than the one we are defining with regards to 
further modifications of the theory. 

For those reasons, our contention here is that static law contraction should be cautious. 
(For a detailed discussion on this, see Section 4.2 below and the end of Section 5.3.) 
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Definition 3.8 Let JZ = (W,R). JZ' = ( W,R'} <E JC~ if and only if 

• WC W'; 

• R = Rl ; and 

• there is w e W such that \/= (p. 



Note that 



= if and only if |= (p. Moreover, 



if and only i£ \£ <p. 



The minimal modifications of one model are defined as usual: 

Definition 3.9 contract{^ , ip) = ljmin{^~, ^ ^} 

And now we define the sets of models resulting from contracting a static law from a 
given set of models: 

Definition 3.10 Let M. be a set of models, and cp a static law. Then 

M~ = {M' : M' = MU {J£'},JZ' e contract^, <p),j£ e M} 

In our scenario example, if the initial set of models is Ai = {^}, where jtft is the model 
in Figure 4, then contracting the static law coffee — > hot from Ai would give us the resulting 



new set of models M. 
in Figure 9 below. 



coffee— ¥h 



ot = {M U {j^[},M U {*/#2j}> where each J£[ is as depicted 
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Figure 9: Models resulting from contracting coffee — > hot in the model ^# of Figure 4. 

Notice that by not modifying the accessibility relation all the effect laws which are true 
in the original model ^ are preserved in the resulting models. This is ensured by [6mj/]_L 
being true in the new world W7. 

It is only some executability laws that are potentially lost, due to the cautiousness of 
our approach. For instance, in jtf\_ above, it is no longer the case that token — > (buy)T is 
true, since now there is a world, namely w?, which does not satisfy it anymore. (In ^' 2 this 
executability law is still true in every possible world.) 

It is worth point out, however, how our approach is indeed in line with intuition: when 
learning that a new state is now possible, we do not necessarily know all the behavior of the 
actions in the new added state. We may expect some action laws to hold in the new world 
(see end of Section 5.3), but, with the information we dispose, not touching the accessibility 
relation is the safest way of contracting static laws (cf. Section 4.2 below). 
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4. Interlude 

Before presenting the algorithmic counterpart of our action theory change operators, in this 
section we discuss alternatives to some of our technical constructions. We point out the 
issues that such alternatives would raise. We also provide more justifications for some of 
the design choices that have been made in the previous sections. 

4.1 Other Distance Notions 

Here we have defined and used a model distance which is based on the symmetric differ- 
ence between sets (Definition 2.11). This distance is an extension to Kripke structures of 
Winslett's (1988) notion of closeness between prepositional interpretations in the Possible 
Models Approach (PMA). Instead of it, however, we could have considered other distance 
notions as well, like Dalal's (1988) distance, Hamming distance (1950), or weighted dis- 
tance. Due to space limitations, we do not develop a through comparison among all these 
distances here. (For more details, the reader may want to refer to Schlechta's 2004 book.) 
We nevertheless do show that with a cardinality-based distance, for example, we may not 
always get the intended result. 

Let card(X) denote the number of elements in set X. Then suppose that our closeness 
between K„-models was defined as follows: 

Definition 4.1 (Cardinality-based Closeness between K re -Models) Let Jt = {W,R} 

be a model. Then jtft' = {W,R') is at least as close to M as M" = (W",R"), noted 
•dt 1 < # j&" , if and only if 

• either card(W-W) < card(W-W'); 

• or card(W-W') = card(W-W') and card(R-R') < card(R-R"). 

Such a notion of distance is closely related to Dalal's (1988) closeness. 

Because when contracting a static law <p from a model j^ we usually add one new 
possible world, it is easy to see that with this cardinality-based distance we get the same 
result in contract(^ , ip) as with the distance from Definition 2.11. 

When it comes to the contraction of action laws, and then changing the accessibility 
relations, however, this cardinality-based distance does not seem to fit with the intuitions. 
To witness, consider the model ^# in Figure 10, in which the law p 1 — > (a)T is true. 



/ tPi.-flQ 




Figure 10: A model of the executability law p 1 — > (a)T. 
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Then, the models resulting from contraction of Pi — > (a)T in the model ^ will be 
^~^/ a )T = {^' -,^"}i where M' and M" are as depicted in Figure 11. 
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Figure 11: Models resulting from contracting p 1 — > (a)T in the model ^ of Figure 10. 

.#" 
Note that ^#" is an intended contracted model: |^= p 1 — >• (a)T. However, with the 

cardinality-based distance above we will get {^}~ _>/ a \T = {{^,^'}}- We do not have 

{^,^#"} in the result since ^#' <..^ ^#": in j%' only one transition has been removed, 

while in J{" two. 

4.2 Minimal Change v. Cautiousness 

As usually done in the literature on classical belief revision, when defining a (traditional) 
theory change operator one must always make the fundamental decision which of two op- 
posing principles should be the guiding one: that of minimizing change, which leads to 
strong modified theories, versus that of cautious change, which leads to weak theories. In 
this regard, one might argue that our action theory change operators are incoherent. That 
is because we adopt the first principle for the contraction of effect and executability laws, 
but then the latter principle for contraction of static laws. 3 

It turns out, however, that this view is debatable. From a different perspective one can 
think of our three operators as being coherent in the following sense: all of them perform a 
version of maxichoice, namely the addition of precisely a single model to the original models 
of the theory. 4 

In any case, in the sequel we give a justification for the behavior of our operators and 
show that there can be no such an operator for contraction of static laws that is not cautious 
while being coherent with the operators for contraction of effect and executability laws. (We 
say that an operator for static law contraction is coherent with respect to our operators for 
contraction of effect and executability laws if it also performs minimal change with respect 
to the other types of laws, i.e., if it preserves effect and executability laws.) 

Where does the claimed 'incoherence' come from? Here our contention is that it is 
inherent to the problem of action theory change itself, and not a flaw of our definitions. 
The justification is as follows. Remembering the intuitions for our semantic constructions, 
it is easy to see that for the contraction of executability laws knowledge about some action's 
feasibility (the transitions) is removed and only that. For the contraction of effect laws, a 



3. We thank an anonymous referee for having pointed this out. 

4. We thank another anonymous referee for having pointed this out. 
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piece of knowledge is also added (the new transition), but notice that this one is 'guided' 
by some given concrete extra information, namely the —iip effect that we want to allow. 

Now, for the contraction of static laws, notice that no extra information whatsoever is 
given about the new possible state which could guide the addition of some knowledge about 
the feasibility of an action. The only thing that we know is that the new world should exist. 
Nothing more is said about whether there should be any transition leaving it or arriving at 
it at all. This is a property of the problem per se: the problem of removing a static law 
does not mention executabilities, and it is just reflected by our operator. 

Therefore, such an 'incoherence' is already in the problem, and as such it is not surprising 
to find it again in the proposed operators. These are designed to do what they are allowed 
to do given the constraints of the problem. Should we have more information in our hands 
regarding the new added state, a coherent version of the corresponding operator would 
have been defined. (See the discussion in Section 9 for a comparison with Eiter et al.'s 2005 
constraint-based method for update of action theories.) 

Proposition 4.1 There is no minimal change operator for static law contraction that is 
coherent with our operators for contraction of effect and executability laws. 

Proof: Suppose that we have a minimal change based (non-cautious) contraction operator 
for static laws that is coherent with the other operators. This operator must be such that 
when contracting <p £ gml only formulas of the type of ip are removed (otherwise it is 
not coherent with the other operators). This means that both effect and executability laws 
should be preserved. In particular, this operator is coherent in this respect when contracting 
the formula p l — > -ip 2 fi' om model ^ in Figure 12 below. 



"'i 



(pujpP) 



Wo 



(juP?) 



Wl 



(Vu-'Vi*) 



«'_> 



(-■pi.rQ 



«':i 



iPl,P2 ) 



Figure 12: Adding a transition from a new added world in the alternative semantics to 
static law contraction. M denotes the original model, while j%' shows the new 
added world and a candidate transition to add to R„. 



Following the intuition about contraction of Boolean formulas, a new world, viz. the 
valuation {^1,^2}) i s added to W in ^ . Because the operator in question is non-cautious, 
a transition should also be added from the new added world {Pi,_p 2 } m ^ ■> m 01 'der to 
preserve the executability law p 1 — > (a)T. Also because the operator is non-cautious, the 
effect law Pi — > [a]^Pi should be preserved. Hence, such a new transition should point 
neither to world {Pi, -1 ^} nor to {Pi,^} itself. Now, if we direct the new transition to 
{—>Pi,P2} (th e only world that is left), we get the model jtft' in Figure 12. 
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Observe that \= (->p 1 Vp 2 ) — > Mft.- However, ^ (-ip 1 Vp 2 ) — > [a]^: the operator 
makes us lose an effect law! This means that it is not coherent. In order for us to keep this 
effect law, the only option is not to direct the new transition to { _, p 1 ,p 2 }- But then, no 
transition is added at all: the operator is cautious! Hence there is no such an operator for 
static law contraction that is based on minimal change and is coherent with the operators 
for the other laws. □ 

The result above supports our contention that we cannot have a coherent set of minimal 
change operators for action theory contraction. This is a general result and it holds not 
only for modal-based approaches like ours, but it applies to any framework for reasoning 
about actions which is based on transition systems and which also allows for the three types 
of laws that we consider here. 

Furthermore, the result also illustrates well the difference between action theory change 
and classical belief change. To witness, even though contraction of static laws amounts to 
prepositional contraction of Boolean formulas, it remains a special case of the latter. The 
reason is that when contracting static laws one always asks "what happens to the laws of 
other types?" , a question that is not asked in classical propositional contraction for the 
obvious reason that there simply there are no other types of formulas. 

5. Syntactic Operators for Contraction of Laws 

Once having given a semantic construction for action theory change, we now turn our 
attention to the definition of syntactic operators for changing sets of formulas describing a 
dynamic domain. 

As Nebel (1989) says, "[■••] finite bases usually represent [. ..] laws, and when we 
are forced to change the theory we would like to stay as close as possible to the original 
[. . . ] base." Hence, besides the definition of syntactical operators, we should also guarantee 
that they perform minimal change at the theory level. By that we mean that the resulting 
theory should of course not entail the law we want to contract the theory with, and it should 
also preserve as much of the previous knowledge as possible when performing syntactical 
manipulations on the laws in the original theory. Ideally, from the knowledge engineer's 
perspective, the modified theory should also keep a certain degree of resemblance with the 
original one: the resulting laws should be slight modifications of the relevant ones in the 
original action theory. 

By 7^ we denote in the sequel the result of contracting a law $ from the set of laws T. 

5.1 Contracting Executability Laws 

For the case of contracting an executability law <p — > (o)T from an action theory, first we 
have to ensure that action a keeps its executability state in all those contexts where the 
antecedent —xp holds, if that is the case. We achieve that by strengthening the antecedents 
of the relevant executability laws. Second, in order to get minimality, we must make a 
executable in some contexts where <p is true, viz. all ^-worlds but one. Since there are 
possibly many different alternatives for that, this means that we can have several action 
theories as outcome. Algorithm 1 gives a syntactical operator to achieve this. 
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It can be easily checked that Algorithm 1 always terminates: the input action theory 
Tis always finite; from finiteness of *}3top follows that of atm(ir), for any it £ IP(S A (p). 
Moreover, the entailment problem of multimodal K is decidable (Harel et al., 2000), as is 
that of classical propositional logic. Therefore contracting executability laws is decidable. 

Algorithm 1: Contraction of an Executability Law 
Input: T, if — > (o)T 

Output: T.i \-r /* set of theories output to the knowledge engineer */ 
l begin 

2 

if Th> v 3 ~~ > ( a )T an d «5 tcpi - "/ 9 then 
foreach -k £ IP(S A tp) do 



8 
9 

10 
11 

12 



forall A C atm(ir) do 

^ := A Pie ^)ftAA p . eiS -ft /* extend f to a valuation */ 

if 5 ^ p . (n A <£>^) — > _L then /* it is an allowed state */ 

/* construct a theory that is weaker for that state */ 
V := (T\ X a ) U {(^ A -(tt A y^)) -> (a)T : ^ -> <o)T e X a ] 



T~ ■= T~ 

ip—y{a)T ' ip-¥{a)T 



u{T'} 



else 



L w>t : = m 



return 



if^(a)T 



13 end 



It is straightforward to see that Algorithm 1 above can be adapted to Situation Calculus 
action theories as well. The crucial point however would be its termination, since entailment 
in the Situation Calculus is in general undecidable. 



In our running example, contracting the executability law token 
action theory T would give us T oken _^ {buy)T = {7^,7^,7^}, where: 



T{ = 



T' - 
I o — 



coffee — > hot, -^coffee — > [buy]coffee, 

token — > [buy]^token, -^token — > [buy]-L, 

coffee — > [buy]coffee, hot — > [buy]hot, 

(token A (-^coffeeM -*hot)) — > (buy)T 

coffee — > hot, -^coffee — > [buy]coffee, 

token — > [buy]^token, -^token — > [buy]J-, 

coffee — > \buy\coffee, hot — > [buy]hot, 

(token A (coffee V -i/iot)) — > (buy)T 



(buy)T from the 
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Tl = 



coffee — > hot, -^coffee — > [buy]coffee, 

token — > [buy]^token, -^token — > [buy]-L, 

coffee — > [buy]coffee, hot — > [buy]hot, 

(token A (coffee V hot)) — > (buy)T 



Now all the knowledge engineer has to do is choose which theory is more in line with 
her intuitions and implement the required changes (cf. Figure 5). 

5.2 Contracting Effect Laws 

When contracting an effect law <p — > [a]tjj from an action theory T, intuitively we should con- 
tract those effect laws that preclude ^ip in target worlds. In order to cope with minimality, 
we must change only those laws that are relevant to the unwanted tp — > [a]ip. 

Let (£0)1, • • • j (£t ) n denote minimal subsets (with respect to set inclusion) of £ a such 
that S, (£a )i h? ¥> —> M?/S f° r I < i < n. In other words, each (£t)i is a support set for 
the effect law <p — > [a]tjj in T. To make a parallel with the terminology usually adopted in 
the belief change community, we shall see each (£% )i as a special type of kernel (Hansson, 
1994) for the formula ip — > [a]tp- 

According to Herzig and Varzinczak (2007), given any action theory one can always 
ensure that at least one support set for <p — > [a]^ exists. Now let 

£a = (J ( £ t'% 

l<i<n 

The laws in £~ will serve as guidelines to get rid of [a]ip in each <p- world allowed by the 
theory T: they are the effect laws to be weakened to allow for (a)^ip in some ^-contexts. 
This resembles classical kernel contraction (Hansson, 1994): finding minimal sets implying 
a formula and changing them. A crucial difference, however, is that instead of completely 
removing a formula from each kernel, what we do here is weaken the laws. 

When modifying the support sets, the first thing we must do is to ensure that action 
a still has effect ip in all those contexts in which ip does not hold, if that is the case. This 
means we shall weaken the laws in £% specializing them to -up. Now, we need to preserve 
all old effects in all </?-worlds but one. To achieve that we specialize the above laws to 
each possible valuation (maximal consistent conjunction of literals) satisfying <p but one. 
Then, in the left 9?- valuation, we must ensure that action a has either its old effects or -i?/> 
as outcome. We achieve that by weakening the consequent of the laws in £~ . Finally, in 
order to get minimal change, we must ensure that all literals in this (^-valuation that are 
not forced to change in -i^-worlds should be preserved. We do this by stating an effect law 
of the form (ipk A £) — > [a](ip V £), where (pk is the above ip- valuation. The reason this is 
needed is clear: there can be several -^-valuations, and as far as we want at most one to 
be reachable from the <£>/u-world, we should force it to be the one whose difference to this 
(/9fc-valuation is minimal. 

In Situation Calculus terms, all these syntactical operations would correspond to strength- 
ening the right-hand side of the relevant successor state axioms and/or weakening their 
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left-hand side. Alternatively, the same can be done with the original effect axioms, then 
recompiling them again into new successor state axioms afterwards. 

The output of the operations described above will be a set of action theories which will 
be output to the knowledge engineer. Algorithm 2 below gives the operator. 



Algorithm 2: Contraction of an Effect Law 



Input: T, <p — )■ [a]ip 

Output: T~ r i , /* set of theories output to the knowledge engineer */ 



l begin 

2 



3 

4 
5 

6 
7 
8 
9 
10 

11 
12 
13 
14 
15 
16 

17 

18 
19 



T~ 



if Th> <p — > [a]ip and S |^ p . -«p then 
foreach tt G IP(S A ip) do 
forall A C atm(ir) do 

^A : = Ap. £ ^^M ft A A p . £ ^ 



aim (tt) 
Pi £4 Pi jM 



-i^j /* extend i to a valuation */ 

/* it is an allowed state */ 



if S ^ pl (tt A <p A ) -> J_ then 
foreach 7r' G /P(5 A -i^>) do 

7"' := T\£~ /* the support sets will be weakened */ 

V := V U {(^A -(tt A <p A )) -> [a]iPi : Vi -> [a]^ G £"} 
/* allow for -i'0 after a in this state */ 

V := V U {(^ Air Alp A ) ^ [o](^i V tt') : ^ -> [<#; G £"} 
forall L C £it do 

if S \^ pL (ir A ip A ) -> AteL * and «S ^ P |>' A AfgL *) ->• J- then 
foreach £ G L do 

if T^ (tt A p A A £) ->■ [a]-.£ or £ G tt' then 

|_T':= 7~'U {(7rA^A£)^[a](^V£)} 



7~~ = T~ 



u{T'} 



else 



20 

21 end 



>->■[<# :_ 1-7} 



return 7^ r , , 



Again, from the hniteness of the action theory T and that of atm(ir), for any tt G 
/P(5 At/?), and from the decidability of multimodal K (Harel et al., 2000) as well as that 
of classical prepositional logic, it can be easily verified that Algorithm 2 always terminates. 
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Therefore, contracting effect laws is decidable. Of course, the complexity of computing all 
the support sets as well as the prime implicants is quite high (see Section 5.4 later on for a 
discussion on this matter). 

For an example of execution of Algorithm 2, let us suppose that we want to contract 
the effect law token — > [buy]hot from the action theory 7~of our running example. First we 
have to compute the support sets for token — > [buy]hot in T(i.e., the minimal subsets of 
£, which together with S entail token — > [buy]hot). These are the following: 



token,hot\ 



V buy 



)1 = 



coffees [buy] coffee, 
-^coffee ->• [buy}coffee 



token, hot\ 



V buy 



hot - 
1 coffee 



[buy]hot, 
> [buy]coffee 



Now for each possible context in which the antecedent token is the case, we have to 

i j_i £r j_ i • c— i c , token,hot\ , , / tptoken,hot\ o* c t ne 7 .~i 1 

weaken the effect laws in b, = (c, )i U (t, J2- since 6 = {coffee — > hot), such 

contexts are token A coffee A hot, token A -^coffee A -^hot and token A ^coffee A hot. 

For token A coffee A hot: Algorithm 2 replaces in Tthe laws from £^ u with 



(coffee A -^(token A coffee A hot)) — > [buy] coffee, 

(hot A -^(token A coffee A hot)) — > [buy]hot, 
(^coffee A -^(token A coffee A hot)) — > [buy]coffee 

so that we preserve their effects in all possible contexts but token A coffee A hot. Now, in 
order to preserve some effects in token A coffee A hot-contexts while allowing for reachable 
-■/lot-worlds, the algorithm adds the laws: 



(token A coffee A hot) 
(token A coffee A hot) 



[buy](coffee V -^hot), 
[buy](hot\/ -^coffee) 



Now, we search all possible combinations of laws from £, that apply on token A coffee A hot 
contexts and find token — > [buy]^token. Because -^token must be true after every execution 
of action buy, we do not state the law (token A coffee A hot) — > [buy](hot\/ token), and end 
up with the following theory: 



r(=< 



coffee — > hot, token — > (buy)T, 

token — > [buy]^token, -^token — > [buy]J-, 

(coffee A -^(token A coffee A hot)) — > [buy] coffee, 

(hot A -^(token A coffee A hot)) — > [buy]hot, 

(^coffee A -^(token A coffee A hot)) — > [buy]coffee, 

(token A coffee A hot) — > [buy](coffee V -i/iot), 

(token A coffee A hot) — > [buy](hotV -^coffee) 



On the other hand, if in our language we also had an atom p with the same theory T, 
then we should have added a law (token A coffee A hotAp) — > [buy](hot\/ p) to meet minimal 
change by preserving effects that are not relevant to ^ip (cf. Definition 3.4). 
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The execution for contexts token A —> coffee A -i hot and token A ^coffee A hot are analogous 



and the algorithm ends with 77 



tokens [buy] hot 



= {V,V,Vh where: 



7? = 



coffee — > ftot, tofcen — > (buy)T, 

token — > [buy]^token, -^token — > [buy]-L, 

(coffee A -i(tofcen A -^coffee A -i/ioi)) — > [buy]coffee, 

(hot A -^(token A -^coffee A -i/ioi)) — > [6m/]/io£, 

(^coffee A -i(tofcen A -^coffee A -^hot)) — > [buy]coffee, 

(token A -^coffee A -i/ioi) — > [ buy](coffee V — i/ioi) 



coffee — > /ioi, tofcen — > (buy)T, 
token — > [buy]^token, -^token — > [buy]-L, 
(coffee A -i(tofcen A -^coffee A /io£)) — > [buy]coffee, 
7a = \ (hot A -■( tofcen A -^coffee A hot)) — > [buy]hot, 

(^coffee A -^(token A -^coffee A hot)) — > [buy]coffee, 
(token A -^coffee A hot) — > [buy](hot\/ -^coffee), 
(token A -^coffee A hot) — > [buy](coffee V -i/toi) 



Looking at Figure 8, we can see the correspondence between these theories and their 
respective models. It is now up to the knowledge engineer to look at these action theories 
and pick up the one corresponding to her expectations. 

5.3 Contracting Static Laws 

Finally, in order to contract a static law from a theory, we can use any contraction/erasure 
operator for classical logic that is available in the literature. Because contracting static 
laws means admitting new possible states (cf. the semantics), just modifying the set S of 
static laws may not be enough for the multimodal logic case. However, since in general 
we do not necessarily know the behavior of the actions in a new discovered state of the 
world, a careful approach is to change the theory so that all action laws remain the same 
in the contexts where the contracted law is the case. (The reader is invited to see that in 
the Situation Calculus by allowing a new situation to exist one may need to change the 
precondition axioms as well, which means that the problem here described is independent 
of the logical formalism chosen.) 

In our scenario example, if in contracting the static law coffee — > hot the knowledge 
engineer is not really sure whether action buy is still executable or not, then she should 
weaken the set of executability laws specializing them to the context coffee — > hot, and 
make buy a priori inexecutable in all ^(coffee — > hot)-contexts. It is worth noting that 
this is in line with the assumption commonly made in the RAC community according to 
which executability laws are by and large much more likely to be incorrect right from the 
beginning (Shanahan, 1997). Therefore extrapolating them to previously unknown states 
might (and in all probability will) result in the propagation of errors and, even worse, the 
loss of effect laws (remember the discussion in Sections 3.3 and 4.2). The operator given in 
Algorithm 3 formalizes this. 
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Algorithm 3: Contraction of a Static Law 



Input: TJ <p 

Output: JZ /* set of theories output to the knowledge engineer */ 
1 begin 

2 

if S t p| ip then 

/* call classical contraction S © <p of S with tp */ 
foreach S~ e S </? do 

/* build a theory preserving executability in old states */ 

T':= ((T\S)US~)\X a 

V := V U {(^ Aip)^ (a)T : Vi -> (a)T e XJ U {-.p -> [o]±} 

_ r- := r- u {T'} 

else 

L ^ : = m 



10 



return 7~„ 



li end 



In our running coffee example, contracting the static law coffee 
theory T produces T co g ee _^ hot = {T{,T{}, where 



T(={ 



-■(-ifotaA coffee A -i/toi), 

(token A coffee — > hot) — > (buy)T, 

^coffee — > [buy]coffee, token — > [buy]^token, 

-^token — > [buy].L, coffee — > [buy]coffee, 

hot — > [buy] hot, (coffee A -*hoi) — > [buy]A. 



hot from the action 



Tl={ 



-^(token A coffee A -*hot), 

(token A coffee — > hot) — > (buy)T, 

^coffee — > [buy]coffee, token — > [buy]^token, 

-^token — > [buy\.L, coffee — > [buy]coffee, 

hot — > [buy]hot, (coffee A -*hoi) — > [buy]A. 



Observe that the effect laws are not affected at all by the change: as far as we do not 
pronounce ourselves about the executability of some action in the new added world, all the 
effect laws remain true in it. 

If the knowledge engineer is not happy with (coffee A —>hot) — > [buy]-L, she can contract 
this formula from the theory using Algorithm 2. Ideally, besides stating that buy is exe- 
cutable in the context coffee A -i/ioi, we should want to specify its outcome in this context 
as well. For example, we could want (coffee A ~^hot) — > (buy)hot to be true in the result. 
This requires theory revision. See Section 8 for the semantics of such an operation. 
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5.4 Complexity Issues 

While terminating, our algorithms come with a considerable computational cost: the K n - 
entailment tests with global axioms in the beginning of the algorithms and inside the loops 
are known to be EXPTlME-complete (Harel et al., 2000). The computation of all possible 
contexts allowed by the theory, namely f\ . e atm , n) Vi A A . E afm(7r) ~^Vii f° r a ^ A C atm(ir) and 

all 7r G IP(S A p), is clearly exponential. Moreover, the computation of prime implicants 
IP(.) might result in exponential growth (Marquis, 2000). 

Given that theory change can be carried out offline, from the perspective of the knowl- 
edge engineer what is more important is the complexity of the size of the computed con- 
tracted theories: the number of formulas as well as the length of the modified ones. This 
plays an important role when deciding among several output theories which one corresponds 
to the knowledge engineer's expectations. In that matter, whereas the length of new added 
formulas may increase exponentially, with respect to the number of laws our results are 
positive: the size of the computed contracted theories is linear in the size of the original 
action theory. (Remember that card(X) denotes the number of elements in set X.) 

Proposition 5.1 Let T be an action theory, ip — > (o)T an executability law, and T' G 
7^_w a \T- Then card(T') = card(T). 

Proof: If T y= p — > (a)T, then T~ , v T = {T}, and then T' = T, from which the result 
follows. Suppose T |=b p — > (a)T is the case. Then T' is such that T' = (T\ X a ) U X ', 
where X a ' is obtained from X a in such a way that (pi A ip') — > (a)T G Xj if and only 
if ipi — > (a)T G X a , for a fixed ip'. From this it follows card(X a ') = card(X a ). Now, 
card((T\ X a ) U X a ') = card(T\ X a ) + card(X a ') - card((T\ X a ) n Xj) = card(T) - card(X a ) + 
card(X a ') — card($) = card(7) — card(X a ) + card(X a ) — = card(7). □ 

Proposition 5.2 Let T be an action theory, p — > [a]ip an effect law, and T' G 7~_j.r i .. 
Then card(T') < card(T) + card(£~) + card(£it). 

Proof: If T |^4 p — > [a]ip, then 7~_a i . = {T}, and then T' = T, from what we get 
card{T') = card(T). Since card(T) < card(T) + card(£~) + card(£it), the result follows. 
Suppose that Thj p — > [a]tp is the case. Then T' = (7~\ £<j ) U £ a ' U £ a " U T a , where: 

• £ a ' and £ a " are both obtained from £~ in such a way that (pi A _, <y2> / ) — > [ajipi G £ a ' 
and (pi A p') — > [a](ipi A ip') G £ a " if and only if pi — > [a]ipi G £~ , for fixed <//, -!/>'; 

• .F C {(p' A £) ->■ [a]{ip V £) : £ G £it}, for a fixed p'; and 

• T,£ a ',£ a ", T a are pairwise disjoint. 

Hence card(£ a ') = card(£ a ") = card(£~), and card^g) < card(Q\i). Then card(T') = 
card(T\£~) + card(£ a ') + card(£ a ") + card^J = card(T\£~) + card(£~) + card(£~) + 
card^g) = card(T) — card(£~) + card(£~) + card(£~) + card^g) = card(T) + card(£~) + 
card^g) < card(T) + card(£~) + card(iiit). □ 
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Given the arbitrary choice of the contraction operator for static laws, without loss of 
generality we can resort to a slightly modified version of it, viz. one that always gives us 
as result a set of static laws with the same cardinality as the original S. (This is possible 
since, contrary to £ and X , a conjunction of static laws is still a static law, with no further 
rewriting.) By agreeing on that, the following proposition is straightforward: 

Proposition 5.3 Let T be an action theory, ip a static law, and T' <E T~. Then card(T') = 
card(T) + 1. 

Propositions 5.1-5.3 are positive results: if the knowledge engineer can deal with the 
original action theory, then she will be able to deal with the output of the algorithms. 
(Observe that for a given T' all the conditional frame axioms added to T a in the contraction 
of an effect law can be 'factored' into a single law, so that the resulting theory has a 
cardinality of at most card(T) + card(£~) + 1.) 

We finish this section by observing that the size of 7^ , the set of resulting contracted 
theories, depends solely on the set of static laws plus the law we contract Twith: 

Proposition 5.4 Let T be an action theory, and let <P be a law such that Ths ^. Then 

• card(T^) = card{S Q ip), if <& is if 

• card(T^) = card(val(S U {ip})), if $ is either ip — > (a)T or ip — > [a]ij). 

Proof: The proof follows straightforwardly from the outermost loops in Algorithms 1-3. □ 

6. Correctness of the Operators 

We now address the correctness of our algorithms with respect to our semantics for contrac- 
tion. Correctness here is understood as completeness and adequacy. Adequacy means that 
the algorithms output only theories whose models result from our semantic modifications 
of models of the original theory. Conversely, completeness says that every model resulting 
from the semantic modifications of models of the original theory is indeed a model of some 
theory output by the algorithm. 

6.1 Challenges to Completeness and Adequacy 

Let the theory T= {p\ — > (a)T,(^p 1 Vp 2 ) — > [a]J-,[a]^p 2 } an d consider its model M 
depicted in Figure 13. (Notice that 7~|=b — >(pj /\p 2 )-) When contracting p 1 — > [a]^p 2 in ^#, 

r\ n 

we get M' in Figure 13. 

Now contracting p 1 — > [a] -1 ^ from Tusing Algorithm 2 gives T~ , i = {7"'}, where 

f Pi -> («)T, {^p 1 V p 2 ) -> [a]_L, 
T'=l (PiA-.p 2 )^[a](-.p 2 Vp 2 ), 
I (Pi A^p 2 ) -> N(-7>2 v Pi) 

Notice that the formula (p 1 A ~^p 2 ) — > MC -1 ^ V Pi) ^ s P 11 ^ m 7"' by Algorithm 2 because 
there is {_p{\ C £it such that S ^k p ,(pi A p 2 ) — > -1 and T ^4 (Pi A ~^p 2 ) — > [a]^p 1 . It is 
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U>3 




Figure 13: A model ^# of 7~and the result j%' of contracting p 1 — > [a] -1 ]^ m it- 

clearly the case that U= 7"' and no theory in T~ , , has */#' as model. This means that 
there are theories for which the contraction operators are not complete. 

This issue arises because Algorithm 2 tries to allow a transition from the p 1 A ^p 2 -woild 
to a j3 2 " w01 'ld that is closest to it, viz. {j?i,j?2j) ^ l1 ^ nas no wa y °f knowing that such a 
world does not exist. A remedy for that is replacing the test TU (it 1 A f\ i£L £) — > _L for 
S hL. (tt' Af\ i&L £) — > _L, but that would increase even more the complexity of the algorithm. 
A better option would be to have S 'complete enough' to allow the algorithm to determine 
the worlds to which a new transition could exist. 

The other way round, it does not hold in general that the models of each T'gT^ result 
from the semantic contraction of models of 7~by <P. To see why suppose that there is only 
one atom p and one action a, and consider the action theory T = {p — > [o]_L, (o)T}. The 
only model of Tis M = ({{ _, p}}, {({ _, p} ) { _, p})}) m Figure 14. 




■ Q 



»l\ «'l \ / W * 



CD CD 

Figure 14: Inadequacy of contraction: a model jtft of T and a model jtft' of the theory 
resulting from contracting p — > (a)T from T- 



From our definitions, contract(^,p — > (a)T) = {^}. (There is no |>world in j$. from 
which to remove an arrow.) On the other hand, 7~~ / v T is the singleton {T 7 } such that 

V = {p ->■ [a]±,->p -> <a)T}. Then ^' = <{{->p},{p}}, ({->p},{->p})) in Figure 14 is a 
model of the resulting contracted theory. Clearly, jtft' does not result from the semantic 
contraction of p — > (o)T from ^: while —>p is valid in the contraction of the models of T, it 
is not valid in the models of T' . This means that there are theories for which the operators 
are not adequate. 

This problem occurs because, in our example, the worlds that are forbidden by T, e.g. 
{p}, are not preserved as such in T' . When contracting an executability or an effect law, 
we are not supposed to change the possible worlds of a theory (cf. Section 3). 

Fortunately correctness of the algorithms with respect to our semantics can be estab- 
lished for those action theories whose S is maximal, i.e., the set of static laws in S alone 
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characterize what worlds are possible in the models of the theory. This is the principle of 
modularity (Herzig & Varzinczak, 2005b) and we briefly review it in the next section. 

6.2 Modular Action Theories 

A quite useful, albeit simple, property of domain descriptions in reasoning about actions is 
that of action theory modularity (Herzig & Varzinczak, 2005b). 

Definition 6.1 (Modularity) An action theory T is modular if and only if for every 
Boolean formula ip e Jml, */7~k? <p } then S b= PL <£>• 

For an example of a non-modular theory, let us suppose that the action theory 7~of our 
coffee machine scenario were stated as 

{coffee — > hot, (buy)T, 
^coffee ->• [buy]coffee, 
token — > [buy]->token, ->token — > [buy]-L, 
coffee — > [buy]coffee, hot — > [buy]hot 

The modified law is underlined: we have (in this case wrongly) stated that the agent can 
always buy at the machine. Then Th? token, but S ^ p . token. 

Since the underlying multimodal logic is independently axiomatized (see Section 2.1), we 
can use the algorithms given by Herzig and Varzinczak (2005b) to check whether an action 
theory satisfies the principle of modularity. Whenever this is not the case, the algorithms 
return the Boolean formulas entailed by the theory which are not consequences of S alone. 
For the theory 7~above, they would return {token}: as we have stated (buy)T, from this and 
the inexecutability law -^token — > [buy] A. we have that Thj token. Because S ^ p . token, 
token is what is called an implicit static law (Herzig fc Varzinczak, 2004) of the action 
theory X 5 

Modular action theories have several interesting computational properties. For exam- 
ple, consistency can be checked by just checking consistency of the static laws in S: if 
T is modular, then T \= _L if and only if S b _L. Deduction of effect laws does not 
need the executability ones and vice versa. Deduction of an effect of a sequence of ac- 
tions a\ ; . . . ; a n (prediction) does not need to take into account the effect laws for actions 
other than a\, . . . , a n . This applies in particular to plan validation when deciding whether 
(a\; . . .; a n )(f is the case. 

Modularity is not an exclusive property of action theories formalized in K n : similar 
notions have also been investigated for different contexts in other formalisms, like regula- 
tion consistency in deontic logic (Cholvy, 1999), Situation Calculus (Herzig &; Varzinczak, 
2005a), DL ontologies (Herzig &; Varzinczak, 2006), dynamic logic (Zhang, Chopra, &; Foo, 
2002) and also in the Fluent Calculus (Thielscher, 2010). For more details on modularity 
in K n action theories, as well as its role in the presence of a solution to the frame and 
ramification problems, see the work by Varzinczak (2006). 



5. Implicit static laws are closely related to veridical paradoxes (Quine, 1962). It turns out that sometimes 
they are intuitive, but sometimes they are not. For a deep discussion on implicit static laws, see the 
work by Varzinczak (2006). 
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Another interesting property of modular action theories is the following: 
Theorem 6.1 T is modular if and only if T has a canonical model. 
Proof: Let ^ can = ( W can , R ca n) be the canonical frame of T. 

(=>): By definition, ^# ca „ is such that |= can S AS. It remains to show that |= can X . Let 
<Pi — > (a)T G X a , and let w G W can be such that \= can <pi. Therefore for all ipj G 5"m[ such 
that T|=b (fj — > [o]-L, we must have p ""Vj, because T|=b ~^(<Pi A </?,•), and as Tis modular, 
5 |= _i (v ? i A y?j), and hence |= can -<((pi A <£>j). Then by the construction of ^# ca „, there is 
some w' G W^ can such that \^ t ca "ip for all ip — > [a]ip G £ a such that |= """<£>. Thus R a (w) ^ 

d| - v*-can I \ —i— 

|= <£>i — > (a) I . 

(^=): Suppose Tis not modular. Then there must be some <p G 5"m[ such that 7"|=b </? and 
S Wp\_ <£>. This means that there is w G val(S) such that u 1/ </>. As v G W c <m (because W^an 
contains all possible valuations of S), ^ can is not a model of T. □ 

6.3 Correctness Under Modularity 

As shown by Herzig and Varzinczak (2007), given an action theory formalized with any 
framework available in the literature allowing for the expression of our three basic types of 
laws, it is always possible to ensure modularity. Moreover, as we are going to see in the 
sequel (cf. Section 7.2), it has to be computed at most once during the evolution of the 
action theory. Hence, relying on modular theories is not a limitation at all to our approach. 

The following theorem establishes that under the assumption that the action theory T 
is modular, the semantic contraction of a formula <P from the set of models of Tproduces 
models of some contracted theory in 7J. 

Theorem 6.2 Let T be modular, and § be a law. For all M! G M~p such that \= T for 
every M G M., there is T' G 7J such that |= T' for every ^' G M! . 

Proof: See Appendix A. □ 

The next theorem establishes the other way round: under modularity models of theories 
in 7J are all models of the semantic contraction of ^ from models of T. 

Theorem 6.3 Let T be modular, <P a law, and T' G 7^. For all ^#' such that \= T' , there 
is M' G M$ such that J6' G M' and \= T for every Jt G M. 

Proof: See Appendix B. □ 

With these two theorems we get the correctness of our operators: 

Corollary 6.1 Let T be modular, <P a law, and T' G T2- Then T' |=s. & if and only if\= <F 
for every Jt 1 G M' such that M' G M$ for some M such that |= T for all Jt G M. 
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Proof: 

(=>): Let Jt' be such that \^= T'. By Theorem 6.3, there is M' G M# such that J£' G .M' 

for some .M such that |= 7" for all ^# G A4. From this and 7"' |=b ^, we have |= IF. 

(«=): Suppose T' |£ !?■. (We show that there is some model J{' G A-f such that A4' G .Ml 

for some M with |= Tfor all Jt G .M, and ^ !?.) 

Given that Tis modular, by Lemma B.l T' is modular, too. Then, by Lemma B.3, 

there is some ^#' = (val(S'), R 1 ) such that ^ &. Clearly |= T', and from Lemma B.4 the 
result follows. □ 

7. Assessment of Postulates for Change 

Do our action theory change operators satisfy the classical postulates for change? Before 
answering this question, one should ask: do our operators behave like revision or update 
operators? We here address this issue and then show which postulates for theory change 
are satisfied by our definitions. 

7.1 Contraction or Erasure? 

The distinction between revision/contraction and update/erasure for classical theories is 
historically controversial in the literature. The same is true for the case of modal theories 
describing actions and their effects. We here rephrase Katsuno and Mendelzon's defini- 
tions (1992) in our terms so that we can see to which one our method is closer. 

In Katsuno and Mendelzon's view, contracting a law $ from an action theory T intu- 
itively means that the description of the possible behavior of the dynamic world 7~must be 
adjusted to the possibility of <!> being false. This amounts to selecting from the models of 
-i<P those that are closest to models of 7"and allow them as models of the result. 

In contrast, update methods select, for each model ^ of T, the set of models of $ that 
are closest to ^ . Erasing from Tmeans adding models to T\ for each model ^#, we add 
all those models closest to ^ in which <P is false. Hence, from our constructions so far it 
seems that our operators are closer to update than to revision. 

Moreover, according to Katsuno and Mendelzon's view (1992), our change operators 
would also be classified as update because we make modifications in each model inde- 
pendently, i.e., without changing other models. 6 Besides that, in our setting a different 
ordering on the resulting models is induced by each model of the theory T (see Defini- 
tions 3.3, 3.7 and 3.10), which according to Katsuno and Mendelzon is a typical property 
of an update/erasure method. 

Nevertheless, things get quite different when it comes to the postulates for theory change. 

7.2 The Postulates 

In this section we analyze the behavior of our action theory change operators with respect 
to AGM-like postulates. Here we follow Katsuno and Mendelzon's presentation of the 



6. Even if when contracting an effect law from one particular model we need to check the other models of 
the theory, those are not modified. 
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postulates to assess both contraction and erasure. Let 7 = S U £ U X denote an action 
theory and <P denote a law. 

Monotonicity Postulate: 7 fa 7', for all 7"' £7^. 

■mi 

This postulate is our version of Katsuno and Mendelzon's (CI) and (El) postulates 
for contraction and erasure, respectively, and it is satisfied by our change operators. The 
proof is in Lemma A.l. Such a postulate is not satisfied by the operators proposed by 
Herzig et al. (2006): there when removing e.g. an executability law <p — > (a)T one may 
make <p — > [a]_L valid in all models of the resulting theory. 

Preservation Postulate: If T^ <£, then fa T-H- T' , for all V £ 71. 

This is Katsuno and Mendelzon's (C2) postulate. Our operators satisfy it as far as 
whenever 7 fa 4>, then the models of the resulting theory are exactly the models of 7, 
because these are the minimal models falsifying <&. 

The corresponding version of Katsuno and Mendelzon's (E2) postulate about erasure, 
i.e., if 7 fa _i ^, then fa 7 ^ 7' , for all 7' £ TZ, is clearly also satisfied by our operators 
as a special case of the postulate above. Satisfaction of (C2) indicates that our operators 
are closer to contraction than to erasure. 

Success Postulate: If 7 fa _L and fa $, then V fa $, for all V £ 71. 

This postulate is our version of Katsuno and Mendelzon's (C3) and (E3) postulates. If 
<!> is a propositional tp £ S'ml, our operators satisfy it, as long as the classical propositional 
change operator satisfies it as well. For the general case, however, as stated the postulate is 
not always satisfied. This is shown by the following example: let 7= {^p, (a)T,p — > [a] J-}. 
Note that 7~is modular and consistent. Now, contracting the (contingent) formula p — > (a)T 
from Tgives us 7' = 7 Clearly 7' fa p — > {a)T. This happens because, despite not being a 
tautology, p — > (a)T is a 'trivial' formula with respect to 7. since —>p is valid in all "^models, 
p — > (a)T is trivially true in these models (cf. end of Section 3.1). 

Fortunately, for all those formulas that are non-trivial consequences of the theory, our 
operators guarantee success of contraction: 

Theorem 7.1 Let 7 be consistent, and $ be an executability or an effect law such that 
S fa <&. If 7 is modular, then 7' fa $ for every 7' £ 71. 

Proof: Let us suppose that there is some 7' £ 7^ such that 7' fa <$. Since 7~is modular, 

Corollary 6.1 tells us that fa $ for every JC' £ M' such that M' £ M$, where M = {J% : 
|= # Tand^ = (val{S),R)}. 

If |= <L> for every Jt' £ M' , then even for Jt" £ M'\M we have fa <P. But J£" £ Jt$ 

Mil _ 

for some j% £ M, and by definition fa <P. Hence M^ = 0, and then the truth of ^ in jtft 
does not depend on the accessibility relation R a . Hence, whether <P has the form ip — > (a)T 
or <p — > [a]ip, for <p,ip £ ^m[, this holds only if S fa p . —>ip (see Definitions 3.1 and 3.5), and 
therefore we get S fa <P. □ 

•mi 

223 



Varzinczak 



Equivalences Postulate: If |== 71 <-> 7i and (= <?i f> ^2, then k 71' <-» T%, for some 

rXiT, rXjT, r\7], 

71' G (Ti)^ 2 and 7a' e(T 2 )^. 

This postulate corresponds to Katsuno and Mendelzon's (C4) and (E4) postulates. It 
is worth noting that equivalence here is considered always modulo action laws, i.e., the 
formulas are assumed to be either static laws, effect laws or executability laws, as well as 
their equivalents. Moreover we remember that the theories here must be action theories, 
i.e., sets of action laws of our three basic types. Under modularity and the assumption that 
the prepositional change operator satisfies (C4)/(E4), our operations satisfy this postulate: 

Theorem 7.2 Let 71 and 7i be modular. If k 71 •<->■ 7i and k $1 H $2, then for each 
7{ E (71)^ 2 there is 7{ E (7i)^ such that k 71' •<->• 7{, and vice-versa. 

Proof: The proof follows straight from our results: since |== 7i -O- 7i and k &1 f-> ^2, they 

.•# .•# 

have pairwise the same models. Hence, given jtft such that |= 71 and |= 72, the semantic 
contraction of (£>i and that of ^2 from ^# have the same operations on ^ . As 71 and 7i 
are modular, Corollary 6.1 guarantees we get the same syntactical results. Moreover, as the 
classical operator satisfies (C4)/(E4), if follows that |= 71' <-> To- n 

Recovery Postulate: V U {$} k 71 for all T' £ 71. 

This is the action theory counterpart of Katsuno and Mendelzon's (C5) and (E5) pos- 
tulates. Again we rely on modularity in order to satisfy it. 

Theorem 7.3 Let 7 be modular. 7' U {$} k 71 for all 7' E7l. 

Proof: If 7 k $, because our operators satisfy the preservation postulate, 7' = 7, and 
then the result follows by monotonicity. 

Let 7"k <£, and let M' denote the set of all models of 7' ■ As 7"is modular, by Corol- 

lary 6.1 every j^' E M' is such that either |= T(and then |= 0) or j^' E contract(^ , <&) 
(and then ^' E *rf£$) for some jtft such that |= 7 

Let M" denote the set of all models of 7' U {&}. Clearly M" C M' , by monotonicity. 
Moreover, every ^#" £ Ai" is such that k <P, hence jM" £ M^ for every ^ such that 

k 71 and then ^" ^ contract(^ , <P) , for any ^ model of X Thus ^#" is a model of T 
and then T' U {<£} k T □ 

Let V/7$ denote the disjunction of all 7' in 7^. 

Disjunctive Rule: (71 V Tij)^ is equivalent to V/ (71) J V V/ {Ti)®. 

This is our version of (E8) erasure postulate by Katsuno and Mendelzon. Clearly our 
syntactical operators do not manage to contract a law from a disjunction of theories: 71 V7i 
is not an action theory and cannot in general be rewritten as one. Nevertheless, by proving 
that it holds in the semantics, from the correctness of our operators, we get an equivalent 
operation. Again the fact that the theories under concern are modular gives us the result. 
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Theorem 7.4 Let 71 and 7i be modular, and & be a law. Then 

i^V ( r i v w <* (V oi)i v V (TO 

Proof: 

(<=): Let ^T' be such that \='\j (J x )~ VV/ (T 2 )^. Then f^"v (Ti)^ or |= # 'v/ (75)*. Suppose 

|= V (7i)# (th e other case is analogous). Then there is (71)' G (71)* such that |= (71)'. 
Then by Corollary 6.1, there is M! G A4^ such that ^' G A4', for Ai a set of models of 
71. Then ./#' is a model resulting from contracting <P from models of 71 , and then ^#' also 
results from contracting in models of 71 V 75, viz. those models of 71- Then by Corol- 
lary 6.1, there is (71 V 75)' G (71 V 75)* such that |= # '(71 V 75)', and then \='\j (71 V 75)*. 

(=^): Let .#' be such that ^ \/ (71 V 75)*. Then there is (71 V75)' G (71 V 75)^" such that 

^= # (71 V 75)'. By Corollary 6.1, there is M' G M$ such that .#' G M' , for .M a set of 
models of 71 V 75- Then j$' is a model resulting from contracting <P from models of 71 V 75- 
Hence jtft 1 results from contracting <P from models of 71 or from models of 75- Suppose the 
former is the case (the second is analogous). Then by Corollary 6.1 there is (71)' G (71)^ 

such that |= (71)', and then |= V(71)^- n 

We have thus shown that our constructions satisfy the (E8) postulate. Nevertheless, 
as far as we see, it is not immediate whether it is really expected here. This supports our 
position that our operators' behavior is closer to contraction than to erasure. 

As we have seen from the results above, modularity is a sufficient condition for the 
satisfaction of the AGM-like postulates for action theory contraction. To finish up we state 
a new postulate: 

Preservation of Modularity: If 7"is modular, then every T' G 7J is modular. 

Changing a modular theory should not make it non-modular. This is not a standard 
postulate, but we think that since it is a good property modularity should be preserved 
across changing an action theory. If so, this means that whether a theory is modular or 
not can be checked once for all and one does not need to care about it during the future 
evolution of the action theory, i.e., when other changes will be made on it. Our operators 
satisfy this postulate and the proof is given in Appendix B. 

Now one may naturally asks whether we can get a characterization result in the tra- 
ditional AGM sense, i.e., whether any contraction operator satisfying all our versions of 
the postulates is one of our three contraction operations. Unfortunately, good sense points 
towards a negative answer: there might well be an operator satisfying all the above postu- 
lates that, by not complying with all the assumptions in the RAC community (Shanahan, 
1997), is not necessarily one of the operators defined in Section 3 (cf. the discussion on 
general formula contraction in Section 10). To witness, consider for example an operator 
that also modifies worlds when contracting effect laws. This supports one of the contentions 
of the present work, viz. that classical belief change cannot be fully transposed to action 
theories and expected to give exactly the same kind of outcome. Similar negative results 
have also been found for revision in DL ontologies (Flouris, Plexousakis, & Antoniou, 2004) 
and contraction of Horn theories (Booth, Meyer, & Varzinczak, 2009). 

225 



Varzinczak 



8. A Semantics for Action Theory Revision 

So far we have analyzed the case of contraction: the knowledge engineer realizes that the 
theory is too strong and therefore it has to be weakened. Let us now take a look at the 
other way round, i.e., the theory is (possibly) too liberal and the agent discovers new laws 
about the world that should be added to her beliefs, which amounts to strengthening them. 

Suppose that the action theory of our scenario example were initially stated as follows: 

{coffee — > hot, token — > {buy)T, 
-•coffee — > [buy]coffee, ->token — > [buy]-L, 
coffee — > [buy]coffee, hot — > [buy]hot 

Then the canonical model of theory 7~is as shown in Figure 15. 
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Figure 15: Canonical model of the new initial action domain description. 

Looking at model ^ in Figure 15 we can see that, for example, the agent does not know 
that she loses her token every time she buys coffee at the machine. This is a new law that 
she should incorporate to her knowledge base at some stage of her action theory evolution. 

Contrary to contraction, where we want the negation of some law to become satisfiable, 
in revision we want to make a new law valid. This means that one has to eliminate all cases 
satisfying its negation. This depicts the duality between revision and contraction: whereas 
in the latter one invalidates a formula by making its negation satishable, in the former one 
makes a formula valid by forcing its negation to be unsatisfiable prior to adding the new 
law to the theory. 

The idea behind our semantics for revision is as follows: we initially have a set of models 
M. in which a given formula <P is (potentially) not valid, i.e., <$> is (possibly) not true in 
every model in M.. In the result we want to have only models of ^. Adding ^-models to 
M. is of no help. Moreover, adding models makes us lose laws: the corresponding resulting 
theory would be more liberal. 

One solution amounts to deleting from Ai those models that are not ^-models. Of 
course removing only some of them does not solve the problem, we must delete every such a 
model. By doing that, all resulting models will be models of <P. (This corresponds to theory 
expansion, when the resulting theory is satishable.) However, if Ai contains no model of 
$, we will end up with 0. Consequence: the resulting theory is inconsistent. (This is the 
main revision problem.) In this case the solution is to substitute each model ^£ in A4 by 
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its nearest modification ^£ that makes <P true. This lets us to keep as close as possible to 
the original models we had. But, what if for one model in Ai there are several minimal 
(incomparable) modifications of it validating <?? In that case we shall consider all of them. 
The result will also be a list of models M$, all being models of <&. 

Before defining the revision of sets of models, we present what modifications of (indi- 
vidual) models are. 

8.1 Revising a Model by a Static Law 

Suppose that our coffee deliverer agent discovers that the only hot drink that is served on 
the machine is coffee. In this case, she might want to revise her beliefs with the new static 
law ^coffee — > ~^hot: she cannot hold a hot drink that is not a coffee. 

Considering the model depicted in Figure 15, one can see that the Boolean formula 
-^coffee A hot is satisfiable (there is a world of the model in which it holds). Since we do 
not want this to be the case, the first step is to remove all worlds in which -^coffee A hot is 
true. The second step is to guarantee that all the remaining worlds (if any) satisfy the new 
static law. Such an issue has been largely addressed in the literature on prepositional belief 
base revision and update (Gardenfors, 1988; Winslett, 1988; Katsuno &; Mendelzon, 1992; 
Herzig &; Rifi, 1999). Here we can achieve that with a semantics similar to that of classical 
revision operators: basically one can change the set of possible valuations, by removing or 
adding worlds. 

In our example, removing the possible worlds {t, -ic, h} and {-■£, —>c, h} would do the job 
(there is no need to add new valuations since the new incoming law is already satisfied in at 
least one world of the original model, and therefore the resulting set of worlds is non-empty). 

The delicate point in removing worlds is that this may have as consequence the loss of 
some executability laws: in the example, if there were some transition from some world w 
to say {—it, —>c, h}, then removing the latter from the model would make the action under 
concern no longer executable in w, if it was the only transition labeled by that action leaving 
it. From a semantic point of view, this is intuitive: if the state of the world to which we 
could move is no longer possible, then we do not have a transition to that state anymore. 
Therefore, if that transition was the only one we had, it is natural to lose it. 

Similarly, one could ask what to do with the accessibility relation if new worlds are 
added, i.e., when expansion is not possible. Following the discussion in Section 3.3, we here 
prefer not to add new transitions systematically to the accessibility relation. Hence we shall 
postpone correction of executability laws, if needed. This approach may be debatable, but 
with the information we have at hand, this is the safest way of changing static laws. (See 
also the discussion in Sections 3.3 and 4.2.) 

The semantics for revision of one model by a static law is as follows: 

Definition 8.1 Let JZ = ( W, R) . JZ' = ( W, Rl) <E JK* if and only if: 

• W' = (W\ val(^(p)) U W v , where W v C val{ip); and 

• R' C R. 
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Clearly unless tp t p| _L, we have that |= <p for each j$' £ ^t,- The minimal models 
resulting from revising a model j% by ip are those closest to ^ with respect to -<.$'■ 

Definition 8.2 Let ^ be a model and ip a static law. revise(^ , ip) = ljmin{^#*, :!#}. 

In the example of model jtft in Figure 15, revise{^ ,—> coffee — > —>hot) is the singleton 
'}, where ^' is as shown in Figure 16. 
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Figure 16: Model resulting from revising the model ^# in Figure 15 with ^coffee — > —>hot. 

8.2 Revising a Model by an Effect Law 

Let us suppose now that our agent eventually discovers that after buying coffee she does 
not keep her token anymore. (That was a design mistake that the agent still possesses a 
token even after ordering a coffee at the machine). This means that her theory should now 
be revised in such a way that the new effect law token — > [buy]^token holds. Looking at 
model j$ in Figure 15, this amounts to guaranteeing that the formula token A (buy)token 
is satishable in none of its worlds. To do that, we have to look at all the worlds satisfying 
this formula (if any) and either (i) make token false in each of these worlds; or (ii) make 
(buy)token false in all of them. If we chose the first option, we will essentially flip the truth 
value of literal token in the respective worlds, which changes the set of valuations of the 
model. If we chose the latter, we will basically remove buy-a,rrows leading to token-worlds. 
In that case, a change in the accessibility relation will be made. 

In our example, we have that the possible worlds {token, coffee, hot}, {token, -^coffee, hot} 
and {token, -* coffee, ~^hot} satisfy token A {buy)token and all they have to change. 

Flipping token in all these worlds to -^token would do the job, but would also have 
as consequence the introduction of a new static law: -^token would now be valid, i.e., the 
agent never has a token! Another issue with this approach is that by making -^token true 
everywhere, the new incoming law token — > [buy]^token will be trivially true in the resulting 
model, which does not mean that there is an execution of action buy from a iofcen-world 
to a -itofeen one. This defeats the purpose of changing the action theory on the basis that 
it has been observed that every execution of the action under consideration should lead to 
-ifo&en-contexts. 

One of our contentions in the present work is that changing action laws should never 
have as a side effect a change in the static laws (cf. Sections 3 and 4). Given their special sta- 
tus (Shanahan, 1997), these should change only if explicitly required. In this case, each world 
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satisfying token A (buy)token has to be changed so that (buy)token is no longer true in it. 
In our example, we should remove the transitions ({token, coffee, hot}, {token, coffee, hot}), 
({token, -^coffee, hot}, {token, coffee, hot}) and ({token, -^coffee, -^hot}, {token, coffee, hot}). 

The semantics of one model revision for the case of a new effect law is: 
Definition 8.3 Let JZ = ( W, R). JZ' = ( W, Rl) <E -*^U [(# if and only if: 

• W = W; 

• R! C R; 

• If (w, w') £ R \ R 1 , then |= <p; and 

• r= <P -> [<#■ 

The minimal models resulting from the revision of a model j% by a new effect law are 
those that are closest to ^ with respect to our order on the models rl#: 

Definition 8.4 Let M be a model and ip — > [a]ip an effect law. revise(^,cp — > [a]tp) = 



IJmin 



\ a U> ^.#j- 



Taking once again j#Z as shown in Figure 15, revise(^£ , token 
the singleton {^'} (Figure 17). 
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Figure 17: Model resulting from revising the model ^# in Figure 15 with the new effect law 
tokens [buy]-itoken. 



8.3 Revising a Model by an Executability Law 

Let us now suppose that in some stage it has been decided to grant free coffee to everybody 
Faced with this information, the agent will now revise her laws to reflect the fact that buy 
can also be executed in -itofcen-contexts: -^token — > (buy)T is a new executability law (and 
therefore we will have (buy)T in all new models of the agent's beliefs). 

Considering again the model in Figure 15, we observe that -^(-^token — > (buy)T) is 
satisfiable in <M . This means that we must throw -^token A [6mj/]_L away to ensure that the 
new formula becomes true in the new model, i.e., satisfied by all of its worlds. 
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To remove -^token A [6uy]_L we have to look at all worlds satisfying it and modify j^ 
so that they no longer satisfy that formula. Given worlds {^token, ^coffee, ~^hot} and 
{-■tofeen, ^coffee, hot}, we have two options: change the interpretation of token or add new 
transitions leaving these worlds. A question that arises is 'what choice is more drastic: 
change a world or a transition'? Again, here we think that changing the world's content 
(the valuation) is more drastic, as the existence of such a world was foreseen by some static 
law and is hence assumed to be as it is, unless we have enough information supporting 
the contrary, in which case we explicitly change the static laws (see above). Moreover, 
changing the truth value of token in these worlds would trivialize the new incoming law 
-^token — > (buy)T in the new model, defeating the purpose of guaranteeing the existence of 
a 6w?/-transition from a -itofcen-context. Therefore we shall add a new buy-arrow from each 
of {-itofcen, -^coffee, -^hot} and {^token, -^coffee, hot}. 

Having agreed on that, the issue now is: which worlds should the new transitions be 
directed to? Recalling the reasoning developed in Section 3.2, in order to comply with 
minimal change, the new transitions shall be directed to worlds that are relevant targets 
of each of the -itofcen-worlds in question. In our example, {^token, coffee, hot} is the only 
relevant target world here: the two other -^token- worlds violate the effect coffee of buy, while 
the three token-worlds would make us violate the frame axiom -^token — > [buy]^token. 

The semantics for one model revision by a new executability law is as follows: 
Definition 8.5 LetJt={W,R). JK 1 = ( W, Rl) G ^*_, {a)T if and only if: 

• W = W; 

• R C R'; 

• // (w, w') G Rl \ R, then w' G RelTarget(w, ip — > [a]_L, M , M); and 

r # ' . / \-r 

• |= (p — > (a) I . 

The minimal models resulting from revising a model ^ by a new executability law are 
those closest to ^ with respect to -<,$: 

Definition 8.6 Let ^ be a model and ip — > (a)T be an executability law. revise(^,ip — > 
<a)T) = Umin{^*^ (a)T ,^. # }. 

In our running example, revise(^ ' , -^token — > (buy)T) is the singleton {^'}, where ^#' 
is as depicted in Figure 18. 

In this example, observe that because we have a single relevant target world we get a 
single model in the result of revision. 

8.4 Revising Sets of Models 

Up until now we have seen what the revision of single models means. This is needed when 
expansion by the new law is not possible due to inconsistency. We here give a unified 
definition of revision of a set of models M. by a new law <&: 
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(-.*,-.<=, -.a) 



(t,-.c,-./i) 



(-.f,-.c,ft) 



Figure 18: Result of revising ^ in Figure 15 by the new executability law ^token — > (buy)T. 



Definition 8.7 Let M. be a set of models and & be a law. Then 



M% = 



M \ {J( : ^ &}, if there is Jt e M such that ^ #; 
U #g.m revise(^ , &) , otherwise. 



Observe that Definition 8.7 comprises both expansion and revision: in the first one, simple 
addition of the new law gives a satisfiable theory; in the latter a deeper change is needed 
to get rid of inconsistency. 

9. Related Work 

To the best of our knowledge, the first work on updating an action domain description is 
that by Li and Pereira (1996) in a narrative-based action description language (Gelfond & 
Lifschitz, 1993). Contrary to us, however, they mainly investigate the problem of updating 
the narrative with new observed facts and (possibly) with occurrences of actions that explain 
those facts. This amounts to updating a given state/configuration of the world (in our terms, 
what is true in a possible world) and focusing on the models of the narrative in which some 
actions took place (in our terms, the models of the action theory with a particular sequence 
of action executions). Clearly the models of the action laws remain the same. 

Baral and Lobo (1997) introduce extensions of action languages that allow for some 
causal laws to be stated as defeasible. Their work is similar to ours in that they also allow 
for weakening of laws: in their setting, effect propositions can be replaced by what they call 
defeasible (weakened versions of) effect propositions. Our approach is different from theirs 
in the way executability laws are dealt with. Here executability laws are explicit and we 
are also able to contract them. This feature is important when the qualification problem is 
considered: we may always discover contexts that preclude the execution of a given action 
(cf. the Introduction). 

Liberatore (2000) proposes a framework for reasoning about actions in which it is pos- 
sible to express a given semantics of belief update, like Winslett's (1988) and Katsuno and 
Mendelzon's (1992). This means it is the formalism, essentially an action description lan- 
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guage, that is used to describe updates (the change of propositions from one state of the 
world to another) by expressing them as laws in the action theory. 

The main difference between Liberatore's work (2000) and Li and Pereira's (1996) is 
that, despite not being concerned, at least a priori, with changing action laws, Liberatore's 
framework allows for abductively introducing in the action theory new effect propositions 
(effect laws, in our terms) that consistently explain the occurrence of an event. 

The work by Eiter et al. (2005) is similar to ours in that they also propose a framework 
which is oriented to updating action laws. They mainly investigate the case where e.g. 
a new effect law is added to the description (and then has to be true in all models of the 
modified theory). This problem is the dual of contraction and is then closer to our definition 
of revision (cf. Section 8). 

In Eiter et al.'s framework (2005), action theories are described in a variant of a narrative- 
based action description language. Like in the present work, the semantics is also in terms 
of transition systems, with transitions (action occurrences) linking states (configurations 
of the world). Contrary to us, however, the minimality condition on the outcome of the 
update is in terms of inclusion of sets of laws, which means that the approach is more syntax 
oriented to some extent. 

In their setting, during an update an action theory Tis seen as composed of two pieces, 
T u and T m , where T u stands for the part of 7~that is not supposed to change and T m contains 
the laws which may be modified. In our terms, when contracting a static law we would 
have T m = <SU X a ; when contracting an executability law T m = X a ; and when contracting 
effects laws T m = &a- The difference here is that in our approach it is always clear what 
laws should not change in a given type of contraction, and therefore T u and T m do not need 
to be explicitly specified prior to the update. 

Their approach and ours can both be described as constraint-based update, in that the 
theory change is carried out relative to some constraints (a set of laws that we want to hold 
in the result). In our framework, for example, all changes in the action laws are relative to 
the set of static laws S (and that is why we concentrate on models of Thaving val(S) as 
worlds). When changing a law, we want to keep the same set of states. The difference with 
respect to Eiter et al.'s (2005) approach is that there it is also possible to update a theory 
relatively to e.g. executability laws: when expanding Twith a new effect law, one may want 
to constrain the change so that the action under concern is guaranteed to be executable in 
the result. 7 As shown in the referred work, this may require the withdrawal of some static 
law. Hence, in Eiter et al.'s framework, static laws do not have the same status as in ours. 

Herzig et al. (2006) define a method for action theory contraction that, despite the 
similarity with the current work and the common underlying motivations, is more limited 
than the present constructions. 

First, with the referred approach we do not get minimal change. For example, in the 
referred work the operator for contracting executability laws is such that in the resulting 
theory the modified set of executability laws is given by 

<*7 = {((Pi A -¥>) -> (a)T : <p t -> (a)T e X a } 



7. We could simulate that in our approach with two successive modifications of T: first adding the effect 
law and then an executability law (cf. Section 8). 
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which, according to its semantics, gives theories among whose models are those resulting 
from removing transitions from all y-worlds. A similar comment can be made with respect 
to contraction of effect laws. 

Second, Herzig et al.'s (2006) contraction method does not satisfy most of the postulates 
for action theory change that we have addressed in Section 7. Besides not satisfying the 
monotonicity postulate, it does not satisfy the preservation one. To witness, suppose that 
we have a language with only one atom p, and the model ^ depicted in Figure f9. 




Figure 19: Counter-example to preservation in the method by Herzig et al. (2006). 

Then |= p — > [a]-<p and ^ M -1 ^- Now the contraction operator defined there is such 
that when removing [a]^p from ^ yields the model ^' in Figure 19 such that R' a = Wx W. 

Then ^ p — > [a]^p, i.e., the effect law p — > [a]^p is not preserved. 

Finally, another work that is related to ours is that by Zhang and Ding (2008). Like 
ours, their approach is also about giving a semantic characterization of the basic operations 
for changing Kripke models. Contrary to us however, their focus is on model checking, not 
on entailment. Despite the definition and use of operations that in essence are similar to 
ours (modifications of the set of possible worlds or of the accessibility relation), their work 
is concerned mainly with modifications of a single model, not with that of sets of models 
as we do, and hence it does not provide operations for changing action laws. Because of 
that, their approach is not directly comparable to ours, since here we are interested in 
entailment-based revision. 

10. Concluding Remarks 

In this work we have addressed the problem of changing an action domain description for 
reasoning about actions, a problem not sufficiently investigated in the literature so far. 
We have seen the intuitions behind such a kind of theory modification and have given a 
semantics for action theory change in terms of distances between models that captures the 
notion of minimal change. We have given algorithms to contract a formula from a theory 
that terminate and that are correct with respect to our semantics (Corollary 6.1). We have 
shown the importance that our modularity notion has in this result and in others. 

We have also extended Varzinczak's investigations (2008) by defining a semantics for 
action theory revision based on minimal modifications of models. For the corresponding 
revision algorithms, the reader is referred to the work by Varzinczak (2009). One of our 
ongoing research topics is on assessing our revision operators' behavior with respect to 
appropriate versions of the ACM postulates for revision (Alchourron et al., 1985) and its 
links with the contraction counterpart. 

With our algorithms we provide a set of tools to be used by the knowledge engineer in an 
interactive and possibly iterative way to modify an action theory. These tools are guaranteed 
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to perform minimal change when assisting the knowledge engineer in implementing her 
desired modifications. They give her a set of options and it is up to the knowledge engineer 
to decide which one is more in line with her intuitions. 

Given that action theory change is not a single step operation, the knowledge engineer is 
expected to make use of the contraction/revision operators to make a series of modifications 
that eventually will give a fine-grained theory not entailing the contracted laws and entailing 
the new learned laws about the domain. 

For the sake of presentation, here we have abstracted from the frame and ramification 
problems. However our definitions could have been stated in a formalism with a suit- 
able solution to them, like Castilho et al.'s approaches (1999, 2002). With regards to the 
qualification problem, this is not ignored here: contracting wrong executability laws is an 
approach towards its solution. Indeed, given the difficulty of stating all sufficient conditions 
for executability of an action, the knowledge engineer writes down some of them and lets 
the theory 'evolve' via subsequent revisions. 

A possible criticism to the approach here developed concerns the cautiousness of our 
operator for contracting static laws: we prefer to lose some executability laws rather than 
induce them and lose effect laws. This behavior could make our operators to be interpreted 
as incoherent. We have pointed out nevertheless that this is in line with largely accepted 
assumptions in the RAC community, and moreover we have shown the impossibility of a 
non-cautious static law contraction operator that complies with all that and is coherent 
with the other operators. 

Indeed one of the purposes of the present work is to shed some light on the fundamental 
differences between belief change in action domain descriptions and in logical theories in 
general. Classical belief change cannot be fully transplanted to action theories, and here we 
have shown why (cf. Sections 3.2, 4.2, 5.3 and 8.3). 

In particular, looking at the postulates of classical belief change (or our versions thereof) 
one sees that they are not enough to fully characterize operators for action theory change. 
For that to be achieved the fundamental assumptions in reasoning about actions that we 
have extensively used throughout this work should somehow be 'compiled' into postulates 
supplementing the classical ones. It is not immediately clear what these new postulates 
would look like, but this is an interesting thread of investigation worth pursuing. 

It might also be argued that our semantic operations do not respect the principle of 
categorical matching, given that the input and output are different sorts of objects, viz. a 
set of models and a set of sets of models (cf. Definitions 3.3, 3.7 and 3.10). It is easy to see, 
however, that our semantic constructions could have been defined in such a way that each 
M' £ M~£ corresponds to the result of one contraction operator. The choice for defining 
the result of an operation as a set of possible outputs was driven by the definition of the 
algorithms, where a theory (corresponding to a set of models) is given as input and the 
output is a set of theories (hence corresponding to a set of set of models). 

Although the semantic operators can be redefined to satisfy the principle of cate- 
gorical matching, the same is not immediate about the algorithms (they would be non- 
deterministic). Therefore we preferred to keep a balance between the semantic and the 
syntactic definitions so that we see more clearly their direct correspondence. 
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One of our contentions here is that sticking to modular theories (and hence to canon- 
ical models) is not a big deal: we can use existent algorithms in the literature (Herzig & 
Varzinczak, 2007) to ensure that an action theory 7"is characterized by its canonical models. 

We have seen that under modularity, our operators satisfy all the postulates for con- 
traction: Modularity is one of the sufficient conditions for Success in Theorem 7.1. It is 
also a sufficient condition in Theorem 7.2, and, as shown in Theorem 7.3, it is a sufficient 
condition for Recovery. Finally it is also a sufficient condition for the Disjunctive Rule 
to hold, and is shown to be preserved by the contraction operators (cf. last paragraph of 
Section 7.2, proof in Appendix B). Preservation of modularity is an important result since 
it means that it has to be checked/ensured at most once during the lifetime of the action 
theory. All these results support the thesis that our modularity notion is fruitful. 

By forcing formulas to be explicitly stated in their respective modules (and thus possibly 
making them inferable in independently different ways), modularity intuitively could be 
seen to diminish elaboration tolerance (McCarthy, 1998). For instance, when contracting a 
Boolean formula <p in a non-modular theory, it seems reasonable to expect not to change the 
set of static laws S, while the theory being modular surely forces changing such a module. It 
is not difficult, however, to conceive non-modular theories in which contraction of a formula 
if may demand a change in S as well. As an example, suppose S = {ip\ — > ip^) in an action 
theory from whose dynamic part we (implicitly) infer ~^f>2- In this case, contracting —np\ 
while keeping -1^2 would necessarily ask for a change in S. 

We point out nevertheless that in both cases (modular and non-modular) the extra work 
in changing other modules stays in the mechanical level, i.e., in the algorithms that carry 
out the modification, and does not augment in a significant way the amount of work the 
knowledge engineer is expected to do. 

Contrary to the trend in the belief change community, where the focus is either on belief 
bases or belief sets (Hansson, 1999), the method here proposed is a hybrid one (Delgrande, 
2009). On one hand, semantics plays a crucial role in the notion of minimal change here 
studied. On the other hand, we deal only with domain descriptions in reasoning about 
actions, which are sets of laws of specific types. On top of that, the modularity property (a 
syntactical one) is fundamental to our main results. 

Following those lines, another issue that drives our future research on the subject is how 
to contract not only laws but any K ra -formula. As defined, the order of application of our 
operators matter in the final result: if we contract ip and then <p — > [a]ip from a theory T, 
the result may not be the same as contracting <p — > [a]ip first and then removing if. This 
problem would not appear in a more general framework in which any formula could be 
contracted: removing ip A (ip — > [a]ip) should give the same result as (<p — > [a]tp) A <p. This 
is the principle of syntax independence (Dalai, 1988). 

Related to that is the question on how our revision definitions relate to our contraction 
operators. What is known is that the Levi identity (1977), 1% = Tl^§ U {^}, in general 
does not hold for action laws (effect and executability ones). The reason is that up to now 
there is no contraction operator for -1$ where <P is an effect or an executability law. Indeed 
this is the general contraction problem for non-classical logics: contraction of a general 
formula (like —1$ above) is still an open problem in the belief change area. Some insights in 
this direction are given by our revision definitions, with which we make —1$ false in every 
possible world of a Kripke model. 
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Definitions 3.1, 3.5 and 3.8 appear to be important for better understanding the problem 
of contracting general formulas: basically the set of modifications to perform in a given 
model in order to force it to falsify a general formula will comprise removal/addition of 
transitions/worlds. The definition of a general revision/contraction method will then benefit 
from our constructions. 

Furthermore, given the well-known connection between multimodal logics and Descrip- 
tion Logics (Baader, Calvanese, McGuinness, Nardi, & Patel-Schneider, 2003), we believe 
that our definitions may also contribute to ontology evolution and debugging in some specific 
families of DLs. 

Acknowledgments 

Parts of this work have been done during the author's stay at the Institut de Recherche en 
Informatique de Toulouse (IRIT), France, and during his visit to the National ICT Australia 
(NICTA), Sydney. 

The author is grateful to the anonymous referees for their constructive and useful re- 
marks, which helped improving the quality of the work. The paper has also benefited from 
discussions with Andreas Herzig and Laurent Perrussel. 

Special thanks to my colleagues at the Meraka Institute Anna Britz, Ken Halland, 
Johannes Heidema and Tommie Meyer for their invaluable comments and suggestions on 
earlier versions of this article. 

Appendix A. Proof of Theorem 6.2 

Let T be modular, and <P be a law. For all M! £ M~^ such that \= T for every ^# £ M, 
there is T' £ 7J such that |= T' for every M' £ M! . 

Before we give the proof of this theorem, we will need the following lemma (cf. the 
Monotonicity Postulate in Section 7.2): 

Lemma A.l T|=s T' ■ 

Proof: Let Tbe an action theory, and let T 1 £ 7^, for a given law ^. We are going to 
analyze each case. 

Let be of the form <p — > (a)T, for some ip £ Jml. Then T' is such that 
r = (T\ X a ) U {(cpi A -(Tr A tp A )) -> (a)T : Vi -+ (a)T £ XJ 



where n £ IP(S A ip) and ip A = A p . £ ^m Pi A A p . £ ^m ^Pi, for some A C atm(n). 

Let ^ = (W, R) be such that |= T- It is enough to show that <M is a model of the new 
laws. For every (ipi /\^(n /\cpa)) — > (a)T, for every w £ W, if |= ip* A^(tt A<pa), then |= ipi. 
Because T^b fi — > {a)T, |= ipi — > (o)T, and then R a (w) ^ 0. 

Therefore we have that |= T' . 
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Let now <P have the form <p — > [a]ip, for tp,ip G ^ml. Then T is such that 

(T\S-)U 

{(<Pi A -i(7r A ^)) ->■ [a]^>j : <£i ->• [<#» £ £«T} u 

7-/ = {('Pi A 7r A ^) ->■ [a](-0i V it') : <£i ->■ [a]ipi G £"} U 

£ G L, for some L C £it s.t. 
(vr A <^ A £) -> [a](^ V £) : 5 \f (vr' A A £gL ■£) -> -L, and £ G vr' 

or T^ (vr A (^ A £) ->• [a]-.£ 

where £" = Ui<i< n (£^)i> ^ ^ IP(S Atp), (p A = A P . 6 ^wft AA p . eiR n Pi , for some 

p;6^ Pi^^ 

4 C atm(n), and vr' G 7P(5 A -.^). 

.# 
Let ^ = ( IF, i?) be such that \= T. It is enough to show that jtft is a model of the 

added laws. Given (ipi A -i(ir A <£a)) — > [ajipi, for every u; G W, if |= y>j A — i(7r A 1/3,4), then 

|= <fi. Because 7~|=b <£>i — > [a\i[>i, |= ¥>i — > [a\ipi, and then |=.^i for every w' G IF such that 
(w,w') G R a . 

For (</?i A 7T A ^a) — > [a\(ipi V 7r'), for every u> G IF, if |= (pi Air A ipA, then again |=, i/>j 
for every 10 ' G W such that (w,w') G i? a - 

Now, given (n A (^ A I) — > [a](ip V £), for every u> G IF, if |= 7r A </?^ A £, then |= 7r, and 

then 1= (p. Since 7~h> <p — > \a]ib, we have \= ip — > \a\ib, and then 1= ib for every w' G W 
such that (w,w') G i?„. 
Therefore |= # T'. 

Let ^ be a propositional <p. Then T' is such that 

((T\s)us-)\x a u 

T = {(pi A^)-> <o)T : ^ -> (a)T G * a } U 
{^ -> [a]±} 

for some S~ G 5 <p. 

Let ^ = ( W, R) be such that |= T- It suffices to show that ^ satisfies the added laws. 
Since we assume behaves like a classical contraction operator, like e.g. Katsuno and 
Mendelzon's (1992), we have |= S — > S~ , and then, because |= S, we have |= S~ . 

Now given (ipi A ip) — > (ffi)T, for every tu £ IF, if |= </?i A <p, then |= y>j, and because 

|= ipi — > (a)T, we have R a (w) ^ 0. 

Finally, for -k/? — >• [a]_L, because |= </?, ^# trivially satisfies -193 — > [a]_L. 

Therefore |= # T'. □ 

Proof of Theorem 6.2 

Let M = {Jt : \= 7}, and M' G M$. We show that there is T' G 7^ such that |= T' 
for every JK' G A4'. 
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By definition, each ^#' G M 1 is such that either |= Tor ^= ^. Because 7^ 7^ 0, there 
must be T 7 £ 7J. If |= TJ by Lemma A.l |= 7"' and we are done. Let us then suppose 
that p <£. We analyze each case. 

Let $ have the form p -> (a)T for some ip G gmt. Then ^' = ( W ! , R'), where W* = W, 
R' = R\ R%, with ^ = {(w, w') : |=% and (w, w') G £„}, for some Jt G .M. 

Let rx G W 1 be such that ^ p — > (a)T, i.e., |= p and R' a {u) = 0. 

Because u lh </?, there must be«£ base(ip, W) such that v C u. Let 7r = f\ i£v £. Clearly 
7r is a prime implicant oi S Aip. Let also ^ = f\i Gu \ v £, and consider 

T' = (T\ *J U {fo A -(Tr A ^)) -> <o)T : Vi -> (a)T G X a ] 

(Clearly, T' is a theory produced by Algorithm 1.) 

It is enough to show that ^K' is a model of the new added laws. Given {ipi A—>(ttAipa)) —> 
(a)T G T', for every w G W ', if 1= ida A -i(ir A uj). then 1= ft, from what it follows 1= <£;. 
Because |= <^j — > (a)T, there is w' G W 7 " such that w' G R a {w). We need to show that 
(w,w') G i?' a . If ^ (/?, then Rf a = 0, and (w,w') G i?' a . If |= <y?, either w = u, and then from 

|= 7r A tpA we conclude |= (^ A -<(jr A (Pa)) —> («)T, or to 7^ ti and then we must have 
(w,w') G #„, otherwise there is S£ C Rf a such that R-(R \ S£) C fl-(J2 \ JZ£), and then 
^" = (W, R \ S%) is such that p 97 — >• (ffl)T and */#" -<_# ^#', a contradiction because 
jtft' is minimal with respect to ~<.a- Thus (w,w') G i2' a , and then |= (a)T. Hence |= T' . 

Now let $ be of the form p> — > [a]?/>, for 97, i/> both Boolean. Then ^' = ( W 7 ', i?'), where 
W = W, R' = R U iC^> with 

^a'^ = (K«/) : w' e RelTarget(w,p^ [a]ip , J? , M)} 

for some ^ = ( W, iZ) G M. 

Let n G W 7 ' be such that p 97 — >• [a]^. Then there is it' G W 7 ' such that (it, u') G Rl a and 

p ; "0. Because u lh <£>, there is v G base(p, W) such that v C u, and as it' II — i^>, there must 
be v' G base^ip, W 1 ) such that 1/ C u'. Let 7r = f\ i( z v £, Pa = l\t> ( z u \ v £ 1 an d 7r ' = l\l&v' ?■ 
Clearly ir (resp. n') is a prime implicant of 5 A p> (resp. S A ->'!/>). 
Now let £~ = [Ji<i< n (£a )i and let the theory 

(T\£-)u 

{(pi A -.(7T A p A )) ->■ [a]ipi : ipi -> [a]^i G £~} U 

-y-/ = {(</?; A 7r A y}^) -> [a](^j V 7t') : </?; -^ [a]ipi e £'} U 

£ £ L, for some L C £it s.t. 
(vr A p A A £) -> [a](?/> V £) : 5 f/ (vr' A Af GL ^) -> -•-, and ^^' 

or T^ (tt A pa A £) -> [a]->£ 

(Clearly, T' is a theory produced by Algorithm 2.) 
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In order to show that j%' is a model of T' , it is enough to show that it is a model of the 
added laws. Given ((piA^(-irA(pA)) — > [a]ipi G T', for every w G W , if |= ipiA-i(TrAipA), then 
1= u>i, and then 1= u>i. Because 1= <pi — > \a\ibi, 1= ibi for all w' G W 7 such that (w,w') G i? a - 
We need to show that R' a {w) = R a {w). If ^=%, then R^ = 0, and then R' a (w) = R a (w). 

If |= ip, then either w = u, and from |= 7r A y^ we conclude |= (ipi A — i(7r A ^yl)) - >• \d[ipi, 
or w ^ u, and then we must have R^'^ = 0, otherwise there would be S^'^ C R^'^ such 
that R-(RUS%>^) C R-(RUR^), and then ^" = ( W.flU S£'^) would be such that 
^= 97 — >• [a]^> and ^" ~<.g jft 1 ■> a contradiction since jffl' is minimal with respect to ~<..g- 
Hence R' a (w) = R a (w), and |=, ^ for all w' such that (w,w') G i?' a . 

Now, given (^ A n A pa) — > [a](^» V 7r'), for every u> £ W 7 ', if |= (pi A it A ipA, then 
1= ip;, and then 1= <p;. Because, 1= w; — > \a\ibi, we have 1= ibi for all w' & W such that 

ID 11) 'If Ljr/ „' 

(«;, «/) G i? a , and then |=, ^ for every w' £ W* such that (w, w') G i?' a \ R^'^ . Now, given 
(«;,«/) G R^'^, \=, tt', and the result follows. 

Now, for each (tt A ipA A £) -> [a](^ V £), for every w G W 7 ', if |= tt A ipA A £, then 
|= </?, and then |= tp. Because |= ip — > [a]ib, we have \= t ib for every w G W such that 
(w,w') G i? a , and then |= ; ^ for all w/ G W 7 ' such that (w,w') G i?' a \ -ff^'~' . It remains to 
show that 1= £ for every w' G W 7 ' such that (w,w') G R% ■ Since ,/#' is minimal, it is 

1 w' J v ' ' a 

enough to show that |= £ for every £ G £it such that \= tt A ipA At. If £ G 7r', the result 
follows. Otherwise, suppose p, ^. Then 

• either —>£ G 7r', then 7r' and £ are unsatisfiable, and in this case Algorithm 2 has not 
put the law (tt A <pa A £) — > [a](ip V £) in T' , a contradiction; 

• or —i£ G tt' \ i/. In this case, there is a valuation w" = (u 1 \ {^£}) U {£} such that 
it" 1/ i/>. We must have u" G W 7 ', otherwise there will be L' = {£{ : £{ G u"} such that 
^"N? W ^ /\i£L' f-i) ~~ ^ -L) anc ^' because Tis modular, 5 |=F PL (v' A Af -eL' ^*) "" ^ -*-' an( ^ 
then Algorithm 2 has not put the law (tt A <pa A £) — > [a](ip V £) in T', a contradiction. 
Then u" G W 7 ', and moreover -u" ^ R^'^(u), otherwise j$' is not minimal. As 
u"\u C u ! \u, the only reason why n" ^ R^'^(u) is that there is £' G nflu" such that 
\= i ' iKi-tu^J ~^ [ a \^' f° r every Jd G A1 if and only it £' £ i/ for any i/ G base(^ip, W) 
such that ?/ C u". Clearly £' = £, and because £ ^ 7r', we have |= * f\t. &u £j — > [a]^£ 
for every ^#^ G A4. Then Thj (7r A <pa A £) — > [a]^£, and then Algorithm 2 has not 
put the law (tt A <pa A £) — > [a](^ V £) in 7"', a contradiction. 

Hence we have |=, ^ V £ for every «/ G W 7 ' such that (w,w') G i?' a . 

Putting the above results together, we get |= T 1 . 

Let now be some prepositional <p. Then j#6' = (W 1 ,R'), where W C W 7 ', i?' = _R, is 
minimal with respect to rl#, he., W is a minimal superset of W such that there is u G M^ 
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with u \f ip. Because we have assumed the syntactical classical contraction operator is 
sound and complete with respect to its semantics and is moreover minimal, then there must 

be S~ G S 9 <p such that W = val(S~). Therefore \^' S~ . 

Because R' = R, every effect law of T remains true in j^' . 

Now, let 

((T\5)U5-)\^ B U 

T = {(ipi Aip)^ (o)T : ifi -> (a)T G X a ] U 

{^ -> [a]±] 

(Clearly, T' is a theory produced by Algorithm 3.) 

For every (<pi A ip) — > (a)T G T' and every w G W ', if |= <pi A (p, then R a (w) ^ 0, 
because |= <y?i — > (a)T. Given —up — > [a]_L, for every w G W ', if |= —><p, then w = u, and 

#a(™) = fif- 

Putting all these results together, we have |= T' . □ 

Appendix B. Proof of Theorem 6.3 

#' _ 

Let T be modular, <P a law, and T' G 7J. For all jffl' such that |= T' , there is M! G M.$ 

such that M' G M! and |= 7" /or every ^C G A4. 

In order to prove this result, first we need to show four important lemmas. 

Lemma B.l Let <P be a law. IfTis modular, then every T' G 7^ is modular. 

Proof: Let <P be nonclassical, and suppose there is T' G 7^ such that T' is not modular. 
Then there is some ip' G 5"m[ such that 7"' |=b <£>' an d «5' Ittdi V 9 ') where 5' is the set of static 

t\ n L.KL 

laws in T' ■ By Lemma A.l, 7~|=b 7"', and then we have 7" hi <£>'. Because ^ is nonclassical, 
S' = S. Thus 5 hip. <p', and therefore 7"is not modular. 

Let now ^ be some ip G Sttil. Then 

((T\«s)us-)\* n u 

T = {(Pi Acp)^ (o)T : ^ -> (o)T G #J U 
{^ -> [a]±} 

for some <S~ G S (p. 

Assume that Tis modular, and let <p' G 5"ml be such that T' hi </?' and S~ h^ D , y 5 '- 

As S~ t'cpiV') there is w G val(S~) such that u 1/ </?'. If w G val(S), then 5 trpiV') an d 

as 7"is modular, 7"hi </?'. By Lemma A.l, 7~h> T', and we have T h= ip', a contradiction. 

Hence i> ^ val(S). Moreover, we must have v \f p, otherwise has not worked as expected. 
Let j^ = (W,R) be such that |= T 1 ■ (We extend J% to another model of T' ■) Let 

Jt' = {W,R') be such that W = WU {v} and R' = R. To show that JC' is a model 

of T', it suffices to show that v satisfies every law in T' ■ As v G val(S~), \= S~ . Given 
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-up — > [a] A. G T', as v 1/ ip and R' a (v) = 0, |= -k^ — > [a]_L. Now, for every ^ — > [a]^ G T', 

if |= y?i, then we trivially have |= ipi for every if such that (v, v 1 ) G i?' a . Finally, given 

((pi A </?) — > (a)T G T', as v \f ip, the formula trivially holds in v. Hence |= T 7 , and because 
there is v G W such that ^ ip', we have T"' ^4 ^>', a contradiction. Hence for all ip' G 3ml 
such that T' |=j5- V 9 '; £" rrpi f'i an d then T' is modular. □ 

Lemma B.2 // ^ can = {W ca n, Rcan) is a model of T, then for every ^# = (W,R) such 
that \= T there is a minimal (with respect to set inclusion) extension R' C R can \ R such 
that M' = (val(S), R U R 1 ) is a model of T- 

Proof: Let ^ can = ( W ca n, Rcan) be a model of T, and let jtft = (W,R) be such that |= T. 
Consider M' = (val(S),R). If \= T, we have Rl = C R can \ R that is minimal. Suppose 
then ^= T. We extend jtft' to a model of Tthat is a minimal extension of jtft . As ^ T, 
there is v G val(S) \ W such that b^ T Then there is $ G Tsuch that \f <?. If $ is 
some (^ G 5"ml, as v G W can , ^can is not a model of T. If $ is of the form <£> — > [a]i/), for 
<p,ip E. ^mt, there is i/ G val(S) such that (v,i/) G i? a and ?/ 1/ ?/>, a contradiction since 

R a (v) = 0. Let now have the form ip — > (a)T for some p G 3mL Then |= <p. As u G W can , 

if ^ C "V ->■ (a)T, then \f ca "T. Hence, R cana {v) ^ 0. Thus taking any (v, il) G i? C an a gives 
us a minimal R' = {(v, v 1 )} such that ^#" = (val(S), R U i?') is a model of X □ 

Lemma B.3 Let T be modular, and <P be a law. Then T|=b <P if and only if every J{' = 
(val(S),R'} such that \= ' T and R C R' is a model of<P. 

Proof: 

(=>): Straightforward, since T\^> implies |= ^ for every ^# such that |= T, in particular 
for those which are extensions of some model of T- 

(<=): Suppose T^4 <P. Then there is ^ = (W, R) such that |= Tand p <£. As Tis modular, 
the canonical frame ^ C an = ( W ca n, Rcan) of 7~is a model of T. Then by Lemma B.2 there is 
a minimal extension R 1 of R with respect to R can such that jtft' = (val(S), RL)R') is a model 
of T. Because p <I>, there is w G VF such that ^ ^. If <!> is some propositional <p G 5"m[ or 

an effect law, any extension <dt' of ^# is such that ^ <?. If <? is of the form <^> — > (a)T, 

then |= ip and R a {w) = 0. As any extension of ^# is such that (u,v) G Rl if and only if 
u G val{S) \ W, only worlds other than those in W get a new departing transition. Thus 

(RUR') a (w) = 0, and then ^"<2>. □ 

Lemma B.4 Lei T 6e modular, a law, and T' G 7J. If ^t 1 = (val(S r ), Rl) is a model 

of T' , then there is M. = {^# : ^ = (val(S),R) and |= 7} swc/i tftai M' G 7V4' /or some 
M'eM^. 
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Proof: Let ^' = (val(S'),R') be such that |= T' ■ If |= T, the result follows. Let us 
suppose then p T- We analyze each case. 

Let <& be of the form ip — > (a)T, for some ip G grnL Let At = {^ : M = {val(S), R)}. 
Since by hypothesis Tis modular, from Lemmas B.2 and B.3 it follows that Ai is non-empty 
and contains only models of T. 

Suppose ^' is not a minimal model of 7"', i.e., there is jtft" such that ^(" -<.g J& 1 for 
some jtft G .M. Then ./#' and ^#" differ only in the executability of a in a given ip- wo rid, 
viz. a 7T A (^-context, for some tt G IP{S A </?) and ip A = A P . € ^oft A A p . £ ^m -ft such 



that A C atm(ir). Because fz (n A if a) — > («)T, we must have |= (7r A if a) — > (ffl)T and 
then p= X Hence ^# is minimal with respect to ~<.d- 

When contracting executability laws, S' = S . Hence taking the right R and a minimal 
Rl such that Jt = (val{S), R) and R' = R\R%, for some R^ C {(to, to') :|=% and (to, w') G 
it! a }, we construct M' = M U {^f'} G .M - ^ > T . 

Let ^ now be of the form ip — > [a]ip, for ip, ip G 3m[. Let .M = {^# : ^ = (val(S), R)}. 
Since by hypothesis 7~is modular, from Lemmas B.2 and B.3 it follows that Ai is non-empty 
and contains only models of T. 

We claim that jtft' has only one transition linking a ip- world, viz. a context ipi A n A ipA 
for some vr G IP(S A p) and <£a = A Pie ^M ft A A Pi <=^M -ft, su ch that ^ £ otm(Tr), to a 

7r'- world, where %' G /P(<S A -, ?/>). The proof is as follows: given £ G £it such that £ holds 
in this ipi A 7T A t/^-world 

• if (tt A ^ A £) ->• [o](^ V £) ^ T', then £ ^ vr' and Tb (tt A ip A A £) ->• [aHl Then 
this world has only -^-successors. 

• if (7T A ^ A £) — > [a](ip V £) G T', then every 7r'-successor is an .£- world. 

By successively applying this reasoning to each £ that holds in this ipi A 7r A y^-world, we 
will end up with only one 7r'-successor. 

Suppose now that M' is not a minimal model of T', i.e., there is J%" such that |= T' 
and jtft" ~<.g jM 1 for some ^ G .M. Then ^' and i/#" differ only in the effects on 
that ipi A 7T A (^^-world: ^#" has no transition linking it to a 7r'-world. Then we have 
\= (ifi A 7T A 1/9^4) — > [a]tpi, and then |= T. Therefore ^{ is a minimal model of T with 
respect to -<.%. 

When contracting effect laws, S' = S. Thus taking the right R and a minimal R^ 

such that .# = (val(S),R) and #' = RUR^, for some i^ C {(w,w') :\= ip and «;' G 
RelTarget(w,ip -> [a]ip,^C,M)}, we construct Af = Ar U {^'} G -A4~^r , ,. 

Let now <Z> be y> for some <p G 3tn[. Since Tis modular, by Lemmas B.2 and B.3 there 
is M = (val(S),R) such that |= T. We know val(S) C val(S~). Because -197 — > [a]_L G T', 
R' a (v) = for every -n^-world v added in ./#'. Hence, because is minimal, taking Ai = 
{^#} gives us the result. □ 
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Proof of Theorem 6.3 

From the hypothesis that Tis modular and Lemma B.l, it follows that T' is modular, 
too. Then ^' = (val(S'),R) is a model of T' , by Lemma B.3. From this and Lemma B.4 
the result follows. □ 
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